Обсуждение: Preventing sql injection
I have a web application that will allow users to submit comments. The database activity consists of a single insert statement into a comments table. I want to lock down this operation against sql injection attacks. Can someone point me to a discussion of general principles? I've seen reference to V3 extended-query protocol. Where is this invoked? Other suggestions?
On Wed, Aug 10, 2005 at 10:02:05AM -0700, Rick Roman wrote: > I have a web application that will allow users to submit comments. The > database activity consists of a single insert statement into a comments > table. I want to lock down this operation against sql injection attacks. > Can someone point me to a discussion of general principles? I've seen > reference to V3 extended-query protocol. Where is this invoked? Other > suggestions? What language are you using? The general principle is that you have to look user input for certain chars, such as ' and \, and escape them somehow. There's another way, which is using new features of the v3 protocol. One easy way to do that is using PQexecParams() instead of PQexec(), if you are dealing with C programs. -- Alvaro Herrera (<alvherre[a]alvh.no-ip.org>) "In a specialized industrial society, it would be a disaster to have kids running around loose." (Paul Graham)
Alvaro Herrera wrote: <blockquote cite="mid20050810171108.GF7871@alvh.no-ip.org" type="cite"><pre wrap="">On Wed, Aug 10,2005 at 10:02:05AM -0700, Rick Roman wrote: </pre><blockquote type="cite"><pre wrap="">I have a web application that willallow users to submit comments. The database activity consists of a single insert statement into a comments table. I want to lock down this operation against sql injection attacks. Can someone point me to a discussion of general principles? I've seen reference to V3 extended-query protocol. Where is this invoked? Other suggestions? </pre></blockquote><pre wrap=""> What language are you using? The general principle is that you have to look user input for certain chars, such as ' and \, and escape them somehow. There's another way, which is using new features of the v3 protocol. One easy way to do that is using PQexecParams() instead of PQexec(), if you are dealing with C programs. </pre></blockquote> I am using PG 7.3, Java through the OBJ Object/relational bridge.<br />
halo i have error like this :
$psql u- abc
error
PSQL : FATAL IDENT authentication failed for user xyz
in template1 #\c abc
: FATAL IDENT authentication failed for user xyz
previous connection kept
thank's
wahyon00.
Start your day with Yahoo! - make it your home page