Re: Sql injection attacks

Doug,

DM> Geoff Caplan <geoff@variosoft.com> writes:

>> But in web work, you are often using GET/POST data directly in your
>> SQL clauses, so the untrusted data is part of the query syntax and not
>> just a value.

DM> Can you give an example of this that isn't also an example of
DM> obviously bad application design?

I'm no expert to put it mildly, but if you Google for "SQL Injection
Attack" you'll find a lot of papers by security agencies and
consultancies. You could start with these:

www.nextgenss.com/papers/advanced_sql_injection.pdf
http://www.net-security.org/article.php?id=142

They are SQL Server oriented, but many of the issues would apply to
Postgres.

------------------
Geoff Caplan
Vario Software Ltd
(+44) 121-515 1154