John R Pierce schrieb:
David Kerr wrote:
Howdy all,
We're using Postgres 8.3 with all of our apps connecting to the database
with Hibernate / JPA.
Our security team is concerned about SQL Injection attacks, and would
like to implement some mod_security rules to protect against it.
From what I've read Postgres vanilla is pretty robust when it comes to
dealing with SQL Injection attacks,
that would be a function of how you use Postgresql. if you do the
typical PHP hacker style of building statements with inline values then
executing them, you're vunerable unless you totally sanitize all your
inputs. see http://xkcd.com/327/
if you use parameterized calls (easy in perl, java, etc but not so easy
in php), you're should be immune. in the past there were some issues
with specific evil mis-coded UTF8 sequences, but afaik, thats been
cleared up for quite a while.
and when you put an abstraction layer like Hibernate on top of it,
you're basically rock solid against them.
I would assume so, but I'm not familiar with the implementation details
of Hibernate.
It dependends how you use Hibernate. If you do String concatenation
instead of parameterized queries, then you can encounter the same
injection problems like SQL.
--
Best Regards / Viele Grüße
Sebastian Hennebrueder
-----
Software Developer and Trainer for Hibernate / Java Persistence
http://www.laliluna.de
--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
