pepone.onrez wrote:
Hi all
I interesting in the protect my applications that use postgresql as is
database backend from Sql Injections attacks, can any recommend me
best pratices or references to protected postgres from this kind of
malicious users.
Thanks in advanced
José Manuel, Gutíerrez de la Concha Martínez.
SQL injection vulnerabilities are a product of the coding, not the
database. In a typical sql injection vulnerability, the code (typically
PHP or ASP, hopefully PHP) fails to sanitize the input of a parameter to
a query (removing ; among other things), but the db is acting properly
in such a situation.
For example the query "SELECT * FROM users WHERE username =
'$username';" is a pretty typical PHP generated query. if $username is
input as foobar then the query "SELECT * FROM users WHERE username =
'foobar';" would work as intended. However if the username was "foobar';
DELETE FROM users;" then the query would become
"SELECT * FROM users WHERE username = 'foobar'; DELETE FROM users;'"
which is a perfectly legal query (except the last ' but it won't make
much of a difference) and the db is acting as designed. It is the
responsibility of the code to sanitize the input to keep this from
happening by removing special characters such as ; and ' so there is no
way (AFAIK) to utilize postgresql settings to protect against SQL injection.
Check out this page:
http://www.acunetix.com/websitesecurity/sql-injection.htm
and this page: http://www.acunetix.com/websitesecurity/sql-injection2.htm
for more information.
--
Tom Hart
IT Specialist
Cooperative Federal
723 Westcott St.
Syracuse, NY 13210
(315) 471-1116 ext. 202
(315) 476-0567 (fax)
---------------------------(end of broadcast)---------------------------
TIP 9: In versions below 8.0, the planner will ignore your desire to
choose an index scan if your joining column's datatypes do not
match
