Re: Sql injection attacks
| От | Matthew D. Fuller |
|---|---|
| Тема | Re: Sql injection attacks |
| Дата | |
| Msg-id | 20040726112213.GT22300@over-yonder.net обсуждение исходный текст |
| Ответ на | Re: Sql injection attacks (Mage <mage@mage.hu>) |
| Список | pgsql-general |
On Mon, Jul 26, 2004 at 08:08:35AM +0200 I heard the voice of Mage, and lo! it spake thus: > Bill Moran wrote: > > > >Simply put: > >1) If the untrusted value is a string, using a proper escape > > sequence should make it safe. > > in pgsql (and mysql) you can escape almost everything. > > update table set a = '5' is corrent, even is column a is integer type. > You can't escape the null value. Which, IMO, is a great thing; I studiously trained myself to use the escaping functions on every value I ever use in a query. If you escape everything unconditionally, without worrying about what type the column is, there's a lot less chance for mistakes and oversights. -- Matthew Fuller (MF4839) | fullermd@over-yonder.net Systems/Network Administrator | http://www.over-yonder.net/~fullermd/ "The only reason I'm burning my candle at both ends, is because I haven't figured out how to light the middle yet"
В списке pgsql-general по дате отправления: