Re: secure sql-statments

Поиск
Список
Период
Сортировка
От Barry Lind
Тема Re: secure sql-statments
Дата
Msg-id 3BF2CEDD.7070803@xythos.com
обсуждение исходный текст
Ответ на secure sql-statments  (list@meinsenf.at)
Список pgsql-jdbc
Дерево обсуждения 
Michi,

You should use PreparedStatements and you won't need to worry about
doing anything, as the driver will take care of all the work for you.

thanks,
--Barry

list@meinsenf.at wrote:

>
> hi,
> I want to make my web-app secure against evil sql-statments!
>
> my sql-strings look like:
>
> updateString = "update table_1 set col_1 = '" + postParam_1 + "'";
> selectString = "select col_1 from table_1 where col_1 like '" + postParam + "'";
> generalSelectString = postParam;
>
> what characters do I have to quote, so that the client can't submit evil sql-statments?
>
> ok: 2 characters i must quote: "'" -> "\'" and "\" -> "\\"
> what characters do I need to quote else???
> perhaps ";" -> "\;"
>
> thanks
> michi
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster
>
>

В списке pgsql-jdbc по дате отправления:

Предыдущее
От: list@meinsenf.at
Дата:
Сообщение: Re : Re: secure sql-statments
Следующее
От: "Chad R. Larson"
Дата:
Сообщение: Re: [ADMIN] PostgreSQL->JDBC->Tomcat->Apache resource uses