Re: Secure "where in(a,b,c)" clause.
| От | brian |
|---|---|
| Тема | Re: Secure "where in(a,b,c)" clause. |
| Дата | |
| Msg-id | 47F51593.1080205@zijn-digital.com обсуждение исходный текст |
| Ответ на | Secure "where in(a,b,c)" clause. ("William Temperley" <willtemperley@gmail.com>) |
| Список | pgsql-general |
William Temperley wrote: > Hi All > > I hope this isn't a FAQ, but does anyone have any suggestions as to > how to make a query that selects using: > "where in(<comma delimited list>)" > secure from an sql injection point of view? > > I have grid of tiles I'm using to reference geographical points. > These tiles are identical to the tiling system google maps uses. My > google maps application works out the tiles it wants to display as a > list of tile names, and sends this list to a php script. > > This works very well, however I'm currently directly concatenating a sql query: > > select st_collect(the_geom) from tiles where tilename in > (<comma delimited list>)) > > Which leaves my application vulnerable to sql injection. > > As the length of the comma delimited list is highly variable I don't > think I can use a prepared query to increase security. > Aside from using a prepared statement, your application code can simply ensure that each named tile follows whatever naming conventions you have in place. A very basic regex should do. b
В списке pgsql-general по дате отправления: