Escaping strings for inclusion into SQL queries

Поиск
Список
Период
Сортировка
От Florian Weimer
Тема Escaping strings for inclusion into SQL queries
Дата
Msg-id tg7kvwqdlx.fsf@mercury.rus.uni-stuttgart.de
обсуждение исходный текст
Ответы Re: Escaping strings for inclusion into SQL queries  (Christopher Masto <chris@netmonger.net>)
Re: Escaping strings for inclusion into SQL queries  (Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE>)
Re: Escaping strings for inclusion into SQL queries  (Bruce Momjian <pgman@candle.pha.pa.us>)
Re: Escaping strings for inclusion into SQL queries  (Bruce Momjian <pgman@candle.pha.pa.us>)
Re: Escaping strings for inclusion into SQL queries  (Bruce Momjian <pgman@candle.pha.pa.us>)
Список pgsql-hackers
Дерево обсуждения 
It has come to our attention that many applications which use libpq
are vulnerable to code insertion attacks in strings and identifiers
passed to these applications.  We have collected some evidence which
suggests that this is related to the fact that libpq does not provide
a function to escape strings and identifiers properly.  (Both the
Oracle and MySQL client libraries include such a function, and the
vast majority of applications we examined are not vulnerable to code
insertion attacks because they use this function.)

We therefore suggest that a string escaping function is included in a
future version of PostgreSQL and libpq.  A sample implementation is
provided below, along with documentation.

--
Florian Weimer                       Florian.Weimer@RUS.Uni-Stuttgart.DE
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898
Вложения

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Peter Eisentraut
Дата:
Сообщение: Re: Locale by default?
Следующее
От: Tom Lane
Дата:
Сообщение: Re: GiST patches for 7.2 (please apply)