Re: Sql injection attacks

Hi folks,

Peter Eisentraut wrote:

PE> If you use prepared statements (the details of which vary by >>
PE> programming language), you should be quite safe.

Peter - thanks for the suggestion. You are right: a poorly designed
function might simply concatenate the injected code - I hadn't really
thought it through. The key seems to be to treat the unsafe string as
a value so it can't leak out into the statement, and a parameterised
prepared statement would do this effectively, as you suggest. Very
elegant...

Bill Moran wrote:

BM> To protect yourself from SQL injections, just pass all your data through
BM> PQescapeString()

I'm no expert, but the papers I have been reading suggest that the
usual hygene advice such as don't display DB error messages and escape
unsafe strings doesn't cover all types of attack. See, for example,
this:

http://www.net-security.org/article.php?id=571

But so far as I can see, Peter's suggestion should provide a workable
robust solution. So thanks again!

------------------
Geoff Caplan
Vario Software Ltd
(+44) 121-515 1154