"Peter Kovacs" <peter.kovacs@sysdata.siemens.hu> writes:
> Thank you for your explanation. But I still do not see how
>> INSERT INTO Users (username) VALUES ('joe'; DROP TABLE users');
> will be evaluated so that it drops table 'users'. Actually, this should
> evaluate to a syntax error, shouldn't it?
The given example was sloppy, but that doesn't mean that there is no
security risk here. Assuming that the webscript will execute
INSERT INTO Users (username) VALUES ('$1');
(where $1 means the raw string supplied by the form user), consider
input like
'); DROP TABLE users --
This will result in the backend seeing
INSERT INTO Users (username) VALUES (''); DROP TABLE users --');
which is 100% syntactically okay.
So you really need to double or escape quotes and backslashes in
user-supplied strings, or you have a security problem. Nic is correct
to note that this is not specific to Javascript; it is a problem for any
database frontend no matter what it's written in.
regards, tom lane