postgreSQL web form; Security

Hi,

We are developing a web page: PHP & postgreSQL. We can transform the below (a)
query to get the (b) query, if we add,
"01001'); DELETE * FROM tbHosp; INSERT INTO tbRev (Id) VALUES ('01001"
, as the value of Id in the web form.

(a) INSERT INTO tbRev (Id) VALUES ('01001');

(b) INSERT INTO tbRev (Id) VALUES ('01001'); DELETE FROM tbHosp; INSERT INTO
tbRev (Id) VALUES ('01001');


We are able to delete registers. We have checked and it works!. Microsoft
Access 2000 does not allow me execute a composed query. It warns with
something similar to "ERROR; -2147217900 [Microsoft][Microsoft Access ODBC
Driver] Characters after the end of the first SQL query".


How can we avoid this security risk using PHP & postgreSQL?.

Regards,
Davi


---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?

http://www.postgresql.org/docs/faqs/FAQ.html

Re: postgreSQL web form; Security

--=-K8VHNP3H74C6iEPzGp4n
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

> How can we avoid this security risk using PHP & postgreSQL?.

Be sure to verify all input from the untrusted source is valid, and
after you do that, be sure to escape it using pg_escape_string() or
pg_escape_bytea().

--=-K8VHNP3H74C6iEPzGp4n
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)

iD8DBQA/GKn46DETLow6vwwRAlRDAJ9iPYzzIiKMA8RochASOTmDHoicowCf VR4a
uasEMJ4jd2y3FTQqytdvFgQ=
=9cYc
-----END PGP SIGNATURE-----

--=-K8VHNP3H74C6iEPzGp4n--

Re: postgreSQL web form; Security

> How can we avoid this security risk using PHP & postgreSQL?.

Every system has its security caveats. But that doesn't mean it can't be
taken care of. Check this link for some important security issues regarding
PHP and SQL.
http://forums.devshed.com/t20525/s7cec8677087e43c40ce670ad00 5d327c.html
http://es2.php.net/manual/en/security.database.php

What I do is verify all user input ($_GET and $_POST array) and not allow
certain characters, most importantly ";". If they can't put a ";" they can't
close a query and they can't do SQL injection.

That is if you want to build the security wall at the application level. For
extra security or for security at DB level you could connect as a previously
created user with only read-access permission. Although at some point you
might need to insert/delete stuff, you can use the read-only user while you
don't need to write. A lot of times you have some public pages that
everybody can access that don't need write permission. Then you can have
other password-protected pages intended only for admins or people you trust
that need write/delete so the security risk would be lower.

Hope that helps.

Adrian Tineo



---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to majordomo@postgresql.org)

Re: postgreSQL web form; Security

Hello Adrian,


Am 10:53 2003-07-19 +0200 hat Adrian Tineo geschrieben:

>What I do is verify all user input ($_GET and $_POST array) and not allow
>certain characters, most importantly ";". If they can't put a ";" they
can't
>close a query and they can't do SQL injection.

How do you do that ?

With a Java-Script in the WebPage ?
or
On the Server-Side ?

I think, we must use all two, the first one to prevent to much work
on the Server-Side and the second one if someone hack the input field
or use Commandline to access the URL.

Hmm, have no clue how to check it with Java-Script...

Does anyone have a small GPL'ed code for it ?
(I do not code Java-Script)

Thanks
Michelle


---------------------------(end of broadcast)---------------------------
TIP 7: don't forget to increase your free space map settings