Search Postgresql Archives

Re: ISO guidelines/strategies to guard injection attacks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 1/19/2010 3:39 PM, Andy Colson wrote:
On 1/19/2010 3:23 PM, Kynn Jones wrote:
I have a Perl CGI script (using DBD::Pg) that interfaces with a
server-side Pg database. I'm looking for general
guidelines/tools/strategies that will help me guard against SQL
injection attacks.

Any pointers/suggestions would be much appreciated.

~K


prepare your queries:

my $q = $db->prepare('select something from table where key = $1');
$q->execute(42);

and..
$db->do('update table set field = $1 where key = $2', undef, 'key', 42);

(*guessed at the do(). I think there is an undef in there, or something*)

-Andy


Also, add to that, in general, use Taint Mode. Perl wont trust data until its been sanitized... and neither should you.

I have a little helper function:

sub untaint
{
    $_[0] =~ /(\w+)/;
    return $1;
};

Then later on:

my $xpin = untaint($web->param('pin'));

This makes sure the pin param only contains word characters (so no dashes, slashes, quotes, or any other crap).

-Andy

--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux