The SELECT is in fact much more likely to be vulnerable than the COPY,
but to be safer you should make sure none of your words matches /\n|^\\\./
cheers
andrew
Kynn Jones wrote:
I have a Perl CGI script (using DBD::Pg) that interfaces with a server-side
Pg database. This interfacing is more involved than simple SELECT queries,
which increases the vulnerability to SQL injection attacks. Here's a
summary.
1. the user submits a collection of "words", typical via a browser;
2. the server-side CGI script creates a temporary table, called input_list,
and inserts these words in the table, one word per row. The code for this
insertion is:
$dbh->do( <<EOSQL );
COPY input_list ( word ) FROM stdin;
EOSQL
$dbh->pg_putline( "$_\n" ) for @$words;
$dbh->pg_endcopy;
3. the script then performs a SELECT query that involves a join with the
temporary table input_list.
The SELECT in (3) seems to me pretty safe, irrespective of the contents of
input_list (but please disabuse me if I'm wrong!).
I'm less certain of the safety of the $dbh->pg_putline statement that
initializes input_list. Is it vulnerable to SQL-injection?
TIA!
~K
