Re: Preventing sql injection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Alvaro Herrera wrote:
On Wed, Aug 10, 2005 at 10:02:05AM -0700, Rick Roman wrote:
  
I have a web application that will allow users to submit comments. The 
database activity consists of a single insert statement into a comments 
table. I want to lock down this operation against sql injection attacks. 
Can someone point me to a discussion of general principles? I've seen 
reference to V3 extended-query protocol. Where is this invoked? Other 
suggestions?
    

What language are you using?

The general principle is that you have to look user input for certain
chars, such as ' and \, and escape them somehow.

There's another way, which is using new features of the v3 protocol.
One easy way to do that is using PQexecParams() instead of PQexec(), if
you are dealing with C programs.

  
I am using PG 7.3, Java through the OBJ Object/relational bridge.

[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux