Re: [SQL] security: escaping user-supplied data
| От | Bruce Momjian |
|---|---|
| Тема | Re: [SQL] security: escaping user-supplied data |
| Дата | |
| Msg-id | 199910122057.QAA09225@candle.pha.pa.us обсуждение исходный текст |
| Ответ на | Re: [SQL] security: escaping user-supplied data ("Albert REINER" <areiner@tph.tuwien.ac.at>) |
| Список | pgsql-sql |
PHP has some function that auto-escapes a query string so it is safe.
You may want to check that.
> On Tue, Oct 12, 1999 at 11:53:44AM +0200, Herouth Maoz wrote:
> > At 02:31 +0200 on 12/10/1999, Jason Uhlenkott wrote:
> >
> >
> > > The statements I generate are usually of the form:
> > > INSERT INTO foo (bar, bas) VALUES ('abc', 'def');
> > > but the 'abc' and 'def' come from an untrusted source, so if they supply
> > > a string like "def'); delete from foo; '" they can make me do this:
> > > INSERT INTO foo (bar, bas) VALUES ('abc', 'def'); delete from foo; '');
> > >
> > > What do I need to do to prevent this? My current plan is to prepend a
> > > backslash to every single-quote, backslash, and semicolon in the
> > > untrusted string. Are there any other special characters I should watch
> > > out for? Is it possible to do something evil despite your special
> > > characters being prepended with a backslash?
> >
> > I don't see why you would want to escape a semicolon. If you escape single
> > quotes and backslashes, the above situation won't happen - the string won't
> > be finished until the first unescaped quote - yours - is encountered.
> > Semicolons are not special in strings.
> >
> > Herouth
>
> I once posted a similar question to the pgsql-novice mailing
> list. There, David Rugge (1 Aug 1999) told me to escape ', ", and %,
> even though I am not quite sure why you have to escape " and %. But
> now that I think of it: you also need to escape \, of course, or
> backslashes will either get lost or, even worse, may escape the
> closing quote (think of $def="\"). Thus, using Perl and Pg, you would
> do:
>
> use Pg;
> $conn = ...;
>
> $abc="abc";
> $def="def";
> $conn->exec("INSERT INTO foo (bar, bas) VALUES ('" .
> &stdstr($abc) . "', '" . &stdstr($def) . "')";
>
> sub stdstr {
> local $or = $_[0];
> $or =~ s /\'/\\\'/g;
> $or =~ s /\"/\\\"/g;
> $or =~ s /%/\\%/g;
> $or =~ s /\\/\\\\/g;
> return $or;
> }
>
> Hope that helps,
>
> Albert.
>
> --
>
> ---------------------------------------------------------------------------
> Post an / Mail to / Skribu al: Albert Reiner <areiner@tph.tuwien.ac.at>
> ---------------------------------------------------------------------------
>
> ************
>
>
-- Bruce Momjian | http://www.op.net/~candle maillist@candle.pha.pa.us | (610)
853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill,
Pennsylvania19026
В списке pgsql-sql по дате отправления: