Re: Passing a table as parameter
| От | Pavel Stehule |
|---|---|
| Тема | Re: Passing a table as parameter |
| Дата | |
| Msg-id | AANLkTikWYfafLK8_bgR1T2DO5vyta955ouogKNv_PFLP@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: Passing a table as parameter (Vibhor Kumar <vibhor.kumar@enterprisedb.com>) |
| Список | pgsql-general |
2011/3/21 Vibhor Kumar <vibhor.kumar@enterprisedb.com>: > > On Mar 22, 2011, at 1:52 AM, Pavel Stehule wrote: > >> simply thinks as using USAGE clause or functions quote_ident, >> quote_literal are faster and absolutly secure :). Software like SQL > > I don't think usage of quote_ident in current requirement of user, would prevent sql injection. > Running sql multiple times, someone can guess the tabename which can give data: > ERROR: relation "am" does not exist > LINE 1: SELECT content FROM am ^QUERY: SELECT content FROM amCONTEXT: PL/pgSQL function "foo" line 2 at RETURN QUERY > > SQL Protect will make above message something like given below: > ERROR: SQLPROTECT: Illegal Query: relations > it is different view on security. When you have not a security gap, then is irelevant if somebody has unlimited number of trials. SQL Protect is "security by obscurity" - a logout can be a good sign for blind injection. well usage of quote_ident and quote_literal is a perfect protection against sql injection. Wrong query doesn't mean a problem. Problem is when attacker can change a semantic of SQL query. Pavel > Which stops user guessing relation. > > Thanks & Regards, > Vibhor Kumar > EnterpriseDB Corporation > The Enterprise PostgreSQL Company > vibhor.kumar@enterprisedb.com > Blog:http://vibhork.blogspot.com > >
В списке pgsql-general по дате отправления: