Re: Limit on number of queries from CGI or PHP (security)
От | Adam Lang |
---|---|
Тема | Re: Limit on number of queries from CGI or PHP (security) |
Дата | |
Msg-id | 008501c0384b$eb96b8c0$330a0a0a@6014cwpza006 обсуждение исходный текст |
Ответ на | Limit on number of queries from CGI or PHP (security) (Rikul Patel <rikul7@yahoo.com>) |
Список | pgsql-general |
For the most part, everyone's answers are accurate. The interface and database you design needs to be tighter to prevent that. One topic that no one mentioned is database security. For the user that the php script runs under, start by restricting it acces to what it doesn't need. If they are only allowed querying information, don't let them update, delete, etc. Second, check the query string for suspicious characters. ie more semi colons than needed. When letting people enter actual SQL queries, you have to treat it like they are sitting at the server's console. The best option is to have a form that they fill in and the script constructs the query on its own... (as well as the user security enabled). Adam Lang Systems Engineer Rutgers Casualty Insurance Company ----- Original Message ----- From: "Rikul Patel" <rikul7@yahoo.com> To: <pgsql-general@postgresql.org> Sent: Tuesday, October 17, 2000 4:00 AM Subject: [GENERAL] Limit on number of queries from CGI or PHP (security) > Hi, > > Is there any way I can restrict number of queries to > only one? Here's the problem: > > If PHP script gets some data as input from user, and > PHP scripts tries to put this data into Postgresql, > what's keeping the user to modify the data in way to > have postgresql execute two queries. > > So instead of some PHP script generating query like > "select * from table where text='some text' or id=1", > some malicious user could make it generate "select * > from table where text='some text' or id=1;delete from > table" > > Thanks, > Rikul > > __________________________________________________ > Do You Yahoo!? > Yahoo! Messenger - Talk while you surf! It's FREE. > http://im.yahoo.com/
В списке pgsql-general по дате отправления: