Search Postgresql Archives

Re: How does one make the following psql statement sql-injection resilient?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 3/16/2015 4:30 PM, David G. Johnston wrote:
psql "$SERVICE" \
      --echo-queries \
      --set=string_input="${1:-ok_to_return}" \
      --set=start="${2:-5}" \
      --set=end="${3:-10}" \
<<'SQL'
     SELECT idx
         FROM generate_series(1, 20) gs (idx)
         WHERE 'short-circuit' != :'string_input'
         AND idx BETWEEN :start AND :end;
SQL

# (6 rows)

--set=end="${3:-10 AND false}"

# (0 rows)

Am I forced to represent the input as text (using :'end') and then
perform a conversion to integer?

Thanks!

David J.



The --set's make it a little complicated.  How about:

string_input="${1:-ok_to_return}"
start="${2:-5}"
end="${3:-10}"

psql "$SERVICE" --echo-queries <<'SQL'
 prepare tmp as SELECT idx
         FROM generate_series(1, 20) gs (idx)
         WHERE 'short-circuit' != $1
         AND idx BETWEEN $2 AND :$3;

  execute tmp($string_input, $start, $end);
  deallocate tmp;
SQL

That's untested, and probably wont work. The "execute tmp($1, $2, $3)" need to be passed to psql as-is, but $string_input, $start and $end need to be replaced in bash before its sent to psql. Maybe use \$1?

Docs here:

http://www.postgresql.org/docs/9.4/static/sql-prepare.html


-Andy


--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux