Re: Escaping strings for inclusion into SQL queries
| От | Bruce Momjian |
|---|---|
| Тема | Re: Escaping strings for inclusion into SQL queries |
| Дата | |
| Msg-id | 200109041730.f84HUsI19449@candle.pha.pa.us обсуждение исходный текст |
| Ответ на | Escaping strings for inclusion into SQL queries (Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE>) |
| Ответы |
Re: Escaping strings for inclusion into SQL queries
|
| Список | pgsql-hackers |
Patch removed at the request of the author. Author will resubmit. > It has come to our attention that many applications which use libpq > are vulnerable to code insertion attacks in strings and identifiers > passed to these applications. We have collected some evidence which > suggests that this is related to the fact that libpq does not provide > a function to escape strings and identifiers properly. (Both the > Oracle and MySQL client libraries include such a function, and the > vast majority of applications we examined are not vulnerable to code > insertion attacks because they use this function.) > > We therefore suggest that a string escaping function is included in a > future version of PostgreSQL and libpq. A sample implementation is > provided below, along with documentation. > > -- > Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE > University of Stuttgart http://cert.uni-stuttgart.de/ > RUS-CERT +49-711-685-5973/fax +49-711-685-5898 [ Attachment, skipping... ] [ Attachment, skipping... ] [ Attachment, skipping... ] > > ---------------------------(end of broadcast)--------------------------- > TIP 2: you can get off all lists at once with the unregister command > (send "unregister YourEmailAddressHere" to majordomo@postgresql.org) -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026
В списке pgsql-hackers по дате отправления: