Re: Sql injection attacks
| От | Harald Fuchs |
|---|---|
| Тема | Re: Sql injection attacks |
| Дата | |
| Msg-id | pubri2n0it.fsf@srv.protecting.net обсуждение исходный текст |
| Ответ на | Sql injection attacks (Geoff Caplan <geoff@variosoft.com>) |
| Список | pgsql-general |
In article <27702.1090854781@sss.pgh.pa.us>, Tom Lane <tgl@sss.pgh.pa.us> writes: > Geoff Caplan <geoff@variosoft.com> writes: >> Obviously, proper validation is a given for all kinds of reasons. But >> the problem with validation/escaping as the primary defense against >> injection seems to be that simply escaping would not catch every type >> of insertion via strings. > I think you misunderstood. Escaping is perfectly safe (given a correct > escaping function) if it's used on *every* untrustworthy input string. > The argument for the "keep data separate from code" approach is > essentially just that it's easier to be sure you haven't forgotten > anyplace where you need to escape. Exactly. As long as you escape everything, you're safe. The only thing to remember is that that you have to escape in both directions: whatever you get from your web page and want to put into the DB should be SQL-escaped, and whatever you get from the DB and want to display on a web page should be HMTL-escaped (including error messages from PostgreSQL).
В списке pgsql-general по дате отправления: