Re: Limit on number of queries from CGI or PHP (security)
| От | Michelle Murrain |
|---|---|
| Тема | Re: Limit on number of queries from CGI or PHP (security) |
| Дата | |
| Msg-id | a05001901b6120121586b@[192.168.1.10] обсуждение исходный текст |
| Ответ на | Limit on number of queries from CGI or PHP (security) (Rikul Patel <rikul7@yahoo.com>) |
| Список | pgsql-general |
At 1:00 AM -0700 10/17/00, Rikul Patel wrote: >Hi, > >Is there any way I can restrict number of queries to >only one? Here's the problem: > >If PHP script gets some data as input from user, and >PHP scripts tries to put this data into Postgresql, >what's keeping the user to modify the data in way to >have postgresql execute two queries. > >So instead of some PHP script generating query like >"select * from table where text='some text' or id=1", >some malicious user could make it generate "select * >from table where text='some text' or id=1;delete from >table" I don't know if this is possible - but what I do is generally give the user as little control of the generation of the query as possible. I generally generate sql statements in a way that make it difficult (I think) to construct a malicious query. You also could parse the generated sql before executing it, watching out for such words as 'delete' or 'update' if that is never going to be the intention of the query in that instance. Michelle -- --------------------------- Michelle Murrain, President Norwottuck Technology Resources mpm@norwottuck.com
В списке pgsql-general по дате отправления: