Re: Protection from SQL injection

Поиск
Список
Период
Сортировка
От Gurjeet Singh
Тема Re: Protection from SQL injection
Дата
Msg-id 65937bea0804301037q4febd3a3pf680db64387893e2@mail.gmail.com
обсуждение исходный текст
Ответ на Re: Protection from SQL injection  (Tom Lane <tgl@sss.pgh.pa.us>)
Ответы Re: Protection from SQL injection
Список pgsql-hackers
Дерево обсуждения
On Wed, Apr 30, 2008 at 10:58 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
"Gurjeet Singh" <singh.gurjeet@gmail.com> writes:
> Maybe we can extend the SQL's WITH clause do declare the constant along with
> the query, and not separate from the query.

> WITH CONSTANT c_jobrole = 'clerk', CONSTANT c_dept = 10
> SELECT * FROM emp WHERE jobrole = c_jobrole and deptno = c_dept;

[ scratches head... ]  And that will provide SQL injection protection how?

Well, if the the query was:

WITH CONSTANT c_jobrole = <value from a FORM text field>, CONSTANT c_dept = 10
SELECT * FROM emp WHERE jobrole = c_jobrole and deptno = c_dept;

And if the attack supplied a value 'clerk OR 1=1' the final query (after replacing constants) would look like this:

SELECT * FROM emp WHERE jobrole = 'clerk OR 1=1' and deptno = 10;

The attacker was not able to inject any new code there.

(reiterates: and let postgres allow literals only in the WITH clause)



Anyway, you hardly need new syntax to do that, I'd expect

       WITH SELECT 'clerk' AS c_jobrole ...

to accomplish it just fine.

I am not sure I understood this example.

Best regards,
 
--
gurjeet[.singh]@EnterpriseDB.com
singh.gurjeet@{ gmail | hotmail | indiatimes | yahoo }.com

EnterpriseDB http://www.enterprisedb.com

Mail sent from my BlackLaptop device

В списке pgsql-hackers по дате отправления: