2011/3/21 Vibhor Kumar <vibhor.kumar@xxxxxxxxxxxxxxxx>: > > On Mar 22, 2011, at 1:52 AM, Pavel Stehule wrote: > >> simply thinks as using USAGE clause or functions quote_ident, >> quote_literal are faster and absolutly secure :). Software like SQL > > I don't think usage of quote_ident in current requirement of user, would prevent sql injection. > Running sql multiple times, someone can guess the tabename which can give data: > ERROR: Ârelation "am" does not exist > LINE 1: SELECT content FROM am ^QUERY: ÂSELECT content FROM amCONTEXT: ÂPL/pgSQL function "foo" line 2 at RETURN QUERY > > SQL Protect will make above message something like given below: > ERROR: ÂSQLPROTECT: Illegal Query: relations > it is different view on security. When you have not a security gap, then is irelevant if somebody has unlimited number of trials. SQL Protect is "security by obscurity" - a logout can be a good sign for blind injection. well usage of quote_ident and quote_literal is a perfect protection against sql injection. Wrong query doesn't mean a problem. Problem is when attacker can change a semantic of SQL query. Pavel > Which stops user guessing relation. > > Thanks & Regards, > Vibhor Kumar > EnterpriseDB Corporation > The Enterprise PostgreSQL Company > vibhor.kumar@xxxxxxxxxxxxxxxx > Blog:http://vibhork.blogspot.com > > -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
