Search Postgresql Archives

Re: SQL injection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On Nov 3, 2005, at 4:26 , Alex Turner wrote:

My point is that with magic_quotes on in PHP, php already escapes
quotes for you in all inbound variables.  This makes the process
automatic, and therefore fool proof, which is kinda the whole point.
You want a mechanism that there isn't an easy way around, like
forgetting to db_quote once in a while.  I'm just trying to find out
if there is an example where magic quotes by itself doesn't work, and
there is a viable injection attack possible, and if so, what it is, so
I can figure out how to prevent it ;).


I'm wondering if using magic_quotes will have issues down the pipe when backslash escaping is no longer the default in PostgreSQL to follow SQL spec. Am I correct in thinking that either the SQL statements would have to be rewritten to use E'' strings, the server setting would have to allow the use of backslashes, or magic_quotes would have to be turned off and variables otherwise escaped to prevent SQL injection?

As an aside, it's interesting to see that the PHP documentation states:
---
Magic Quotes is a process that automagically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed.
---
http://jp.php.net/magic_quotes

Michael Glaesemann
grzm myrealbox com




---------------------------(end of broadcast)---------------------------
TIP 5: don't forget to increase your free space map settings

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux