Re: SQL injection, php and queueing multiple statement

On Fri, Apr 11, 2008 at 9:21 PM, Ivan Sergio Borgonovo
<mail@webthatworks.it> wrote:
> Is there a switch (php side or pg side) to avoid things like:
>
>  pg_query("select id from table1 where a=$i");
>
>  into becoming
>
>  pg_query("select id from table1 where a=1 and 1=1; do something
>  nasty; -- ");
>
>  So that every
>  pg_query(...) can contain no more than one statement?

Well, use prepared statements.

Apart from that, make it impossible to "do something nasty".  Your
php_db_user should be
allowed as little as possible.  Specifically:
 * she should not be owner of the tables/other objects -- this way you are safe
from nasty "DROP TABLE"s and the like.
 * you should decide where she is allowed to INSERT/UPDATE/DELETE, the latter
two are the most dangerous ones.
 * you should make use of referential integrity constraints -- so evil
DELETE or UPDATE
will probably fail on these. ;)
 * you should provide PL/pgSQL stored procedures to update your vital
data.  So evil
bulk delete/update will be harder to accomplish (if your evildoer can
craft exploit to
do it, he probably already has a lot of access to your system ;)).

...oh and think about isolating read-only acces (read only user) from
rw-user -- if
that sounds reasonable to do so.

   Regards,
      Dawid