Hi folks,
Peter Eisentraut wrote:
PE> If you use prepared statements (the details of which vary by >>
PE> programming language), you should be quite safe.
Peter - thanks for the suggestion. You are right: a poorly designed
function might simply concatenate the injected code - I hadn't really
thought it through. The key seems to be to treat the unsafe string as
a value so it can't leak out into the statement, and a parameterised
prepared statement would do this effectively, as you suggest. Very
elegant...
Bill Moran wrote:
BM> To protect yourself from SQL injections, just pass all your data through
BM> PQescapeString()
I'm no expert, but the papers I have been reading suggest that the
usual hygene advice such as don't display DB error messages and escape
unsafe strings doesn't cover all types of attack. See, for example,
this:
http://www.net-security.org/article.php?id=571
But so far as I can see, Peter's suggestion should provide a workable
robust solution. So thanks again!
------------------
Geoff Caplan
Vario Software Ltd
(+44) 121-515 1154