Re: Re : Re: secure sql-statments
| От | Shevland, Joseph (AU - Hobart) |
|---|---|
| Тема | Re: Re : Re: secure sql-statments |
| Дата | |
| Msg-id | CDDF6190494B6648934181A2719E72C1027338F6@ausyd0405.au.deloitte.com обсуждение исходный текст |
| Ответ на | Re : Re: secure sql-statments (list@meinsenf.at) |
| Список | pgsql-jdbc |
> >> what characters do I have to quote, so that the client can't submit
> >> evil sql-statments?
> >
> >I believe the only characters you need to escape for postgres are '\'
> >and ''', but it is easier to rely on the jdbc driver to do it for you
> >by using a prepared statement (assuming your using java 2):
> >
> >PreparedStatement updateStatement = connection.prepareStatement
> > ("update table_1 set col_1 = ?");
> >p.setString(1, postParam_1);
>
> ok - I can do this for a specific update-statement!
> but can I do something more general like:
> PreparedStatement updateStatement = connection.prepareStatement
> "update ? set ? = ? where ? = ?"
> and if so - is this still secure!
No, you can't use parameters for the table and column names, only the
values. You may be able to use the same underlying code to escape the
table/column names if necessary, but I don't think table and column names
can contain the ' or / characters anyway (just a quicky test with various
create table commands, including quoting the table name). I'd probably strip
anything from the provided table/column names apart from [A-Za-z0-9].
Cheers,
Joe
***********Confidentiality/Limited Liability Statement***************
Have the latest business news and in depth analysis delivered to your
desktop. Subscribe to "Insights", Deloitte's fortnightly email
business bulletin . . .
http://www.deloitte.com.au/preferences/preference.asp
This message contains privileged and confidential information intended
only for the use of the addressee named above. If you are not the
intended recipient of this message, you must not disseminate, copy or
take any action in reliance on it. If you have received this message
in error, please notify Deloitte Touche Tohmatsu immediately. Any
views expressed in this message are those of the individual sender,
except where the sender specifically states them to be the views of
Deloitte.
The liability of Deloitte Touche Tohmatsu, is limited by, and to the
extent of, the Accountants' Scheme under the Professional Standards
Act 1994 (NSW).
The sender cannot guarantee that this email or any attachment to it
is free of computer viruses or other conditions which may damage or
interfere with data, hardware or software with which it might be used.
It is sent on the strict condition that the user carries out and relies
on its own procedures for ensuring that its use will not interfere with
the recipients systems and the recipient assumes all risk of use and
absolves the sender of all responsibility for any consequence of its use.
В списке pgsql-jdbc по дате отправления: