Re: Effectiveness of pg_escape_string at blocking SQL injection attacks

On Fri, May 27, 2005 at 10:57:16 -0500,
Ed Finkler wrote:
> Folks,
>
> The php mysql api has a function "mysql_real_escape_string" that seems
> to be able to thwart known SQL injection attacks -- at least the ones of
> which I and other people I've discussed this with know. I am curious to
> know if pg_escape_string is as effective. If not, what would need to be
> modified to make it more effective?
>
> (there is a possibility that I may be able to get a grad student to work
> on this at the center, so detailed responses would be appreciated.)

The best advice is to use bind parameters rather than trying to build
SQL strings consisting partly of user input.

---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org

Re: Effectiveness of pg_escape_string at blocking SQL injection attacks

Bruno Wolff III wrote:

> The best advice is to use bind parameters rather than trying to build
> SQL strings consisting partly of user input.

That's good advice, but I suspect not everyone is going to know this,
and will have a tendency to use the escaping function to try and clean
intput. Do you have any suggestions about improving the security of the
pg_escape_string function?

--
Ed Finkler
Web and Security Archive Administrator
CERIAS - Purdue University
http://www.cerias.purdue.edu/
v: 765.496.6762 f: 764.496.3181

---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?

http://www.postgresql.org/docs/faq