Re: Protection from SQL injection
| От | Tom Lane |
|---|---|
| Тема | Re: Protection from SQL injection |
| Дата | |
| Msg-id | 14964.1209655581@sss.pgh.pa.us обсуждение исходный текст |
| Ответ на | Re: Protection from SQL injection (Gregory Stark <stark@enterprisedb.com>) |
| Ответы |
Re: Protection from SQL injection
Re: Protection from SQL injection |
| Список | pgsql-hackers |
Gregory Stark <stark@enterprisedb.com> writes:
> "Andrew Sullivan" <ajs@commandprompt.com> writes:
>> The _principal_ trick with SQL injection is to fool the application
>> into somehow handing a ";" followed by an arbitrary SQL statement.
> They're the principal trick only because they're the most convenient. If you
> block them (as you can today by using PQExecParams() !!!) then people will
> switch to other things.
Sure, modifying the WHERE clause is still possible, but the attacker is
a lot more limited in what he can do if he can't tack on a whole new
command.
The important aspects of this that I see are:
1. Inexpensive to implement;
2. Unlikely to break most applications;
3. Closes off a fairly large class of injection attacks.
The cost/benefit ratio looks pretty good (unlike the idea that started
this thread...)
regards, tom lane
В списке pgsql-hackers по дате отправления: