On Fri, Feb 05, 2010 at 09:19:40PM +0100, Sebastian Hennebrueder wrote: - John R Pierce schrieb: - >David Kerr wrote: - >>Howdy all, - >> - >>We're using Postgres 8.3 with all of our apps connecting to the database - >>with Hibernate / JPA. - >> - >>Our security team is concerned about SQL Injection attacks, and would - >>like to implement some mod_security rules to protect against it. - >> - >>From what I've read Postgres vanilla is pretty robust when it comes to - >>dealing with SQL Injection attacks, - >> - > - >that would be a function of how you use Postgresql. if you do the - >typical PHP hacker style of building statements with inline values then - >executing them, you're vunerable unless you totally sanitize all your - >inputs. see http://xkcd.com/327/ - > - >if you use parameterized calls (easy in perl, java, etc but not so easy - >in php), you're should be immune. in the past there were some issues - >with specific evil mis-coded UTF8 sequences, but afaik, thats been - >cleared up for quite a while. - > - > - >>and when you put an abstraction layer like Hibernate on top of it, - >>you're basically rock solid against them. - > - >I would assume so, but I'm not familiar with the implementation details - >of Hibernate. - > - > - > - It dependends how you use Hibernate. If you do String concatenation - instead of parameterized queries, then you can encounter the same - injection problems like SQL. Ok so Hibernante could suffer from the same issues as any framework. Thanks Dave -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
