Re: Protection from SQL injection
| От | PFC |
|---|---|
| Тема | Re: Protection from SQL injection |
| Дата | |
| Msg-id | op.uahhlhb2cigqcu@apollo13.peufeu.com обсуждение исходный текст |
| Ответ на | Re: Protection from SQL injection (Tom Lane <tgl@sss.pgh.pa.us>) |
| Ответы |
Re: Protection from SQL injection
|
| Список | pgsql-hackers |
> Sure, modifying the WHERE clause is still possible, but the attacker is > a lot more limited in what he can do if he can't tack on a whole new > command. I hacked into a site like that some day to show a guy that you shouldn't trust magicquotes (especially when you switch hosting providers and it's not installed at your new provider, lol).Binary search on the password field by adding some stuff to the WHERE...You couldstill wipe out tables (just add a "' OR 1;--" to the id in the url to delete somthing... But it's true that preventing multi-statements adds a layer of idiot-proofness... a rather thin layer... > > The important aspects of this that I see are: > > 1. Inexpensive to implement; > 2. Unlikely to break most applications; > 3. Closes off a fairly large class of injection attacks. > > The cost/benefit ratio looks pretty good (unlike the idea that started > this thread...) > > regards, tom lane >
В списке pgsql-hackers по дате отправления: