I'm developing a simple proof-of-concept Web application, more as a
personal programming exercise than anything else, that presents the user
with a login form where they can type in a database name, username, and
password. I then present them with a text field to type in SQL queries,
and hand back a nicely-formatted HTML table with the result of their
queries. Basically, just a programming exercise to get my feet wet with
the Web application framework I'm using (a Python-based framework called
Quixote).
As I was writing the database-connection code, I got to thinking about
security. How do I prevent the user from entering something like
"eviluser ; drop database template1" in the username field?
One way to go about it, I thought, would be to examine the dbname,
username, and/or password fields and make sure that they contain only
legal characters. But I couldn't find a reference in the PostgreSQL
documentation to tell me which characters are considered legal or
illegal in database names, usernames, or table names. And what about
passwords? There may be all sorts of punctuation in there.
Is there a list of illegal characters somewhere? What other methods
would you recommend to validate user input before I send it off to
PostgreSQL?
--
Robin Munn
rmunn@pobox.com