On Wed, May 15, 2002 at 09:56:45AM -0500, Bill Gribble wrote:
> So the only escaping I do in my app currently is to replace ' with '' in
> user-input strings. If I assume that the goal is to prevent any
> user-input strings from being evaluated as SQL statements (only to allow
> user input as constant values), what other escaping do I need to do?
Off the top of my head, you should probably be escaping the backslash (\)
also.
> Is there a SQL "hack prevention" FAQ out there somewhere?
Not that I know of. If you're using perl you can use the tainting mechanism.
Modify Pg.pm to complain about any tainted queries. Then only values that
you have cleared through a regex will work. Very secure, but can be a lot of
work.
Other languages have tainting also IIRC.
However, I find escaping just as you're building the query to be quite
effective.
--
Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/
> Canada, Mexico, and Australia form the Axis of Nations That
> Are Actually Quite Nice But Secretly Have Nasty Thoughts About America