Re: (security) Rules of thumb for escaping user input?
| От | Martijn van Oosterhout |
|---|---|
| Тема | Re: (security) Rules of thumb for escaping user input? |
| Дата | |
| Msg-id | 20020516011137.B14367@svana.org обсуждение исходный текст |
| Ответ на | (security) Rules of thumb for escaping user input? (Bill Gribble <grib@linuxdevel.com>) |
| Список | pgsql-general |
On Wed, May 15, 2002 at 09:56:45AM -0500, Bill Gribble wrote: > So the only escaping I do in my app currently is to replace ' with '' in > user-input strings. If I assume that the goal is to prevent any > user-input strings from being evaluated as SQL statements (only to allow > user input as constant values), what other escaping do I need to do? Off the top of my head, you should probably be escaping the backslash (\) also. > Is there a SQL "hack prevention" FAQ out there somewhere? Not that I know of. If you're using perl you can use the tainting mechanism. Modify Pg.pm to complain about any tainted queries. Then only values that you have cleared through a regex will work. Very secure, but can be a lot of work. Other languages have tainting also IIRC. However, I find escaping just as you're building the query to be quite effective. -- Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/ > Canada, Mexico, and Australia form the Axis of Nations That > Are Actually Quite Nice But Secretly Have Nasty Thoughts About America
В списке pgsql-general по дате отправления: