2011/3/21 Vibhor Kumar <vibhor.ku...@enterprisedb.com>:
>
> On Mar 22, 2011, at 1:52 AM, Pavel Stehule wrote:
>
>> simply thinks as using USAGE clause or functions quote_ident,
>> quote_literal are faster and absolutly secure :). Software like SQL
>
> I don't think usage of quote_ident in current requirement of user, would 
> prevent sql injection.
> Running sql multiple times, someone can guess the tabename which can give 
> data:
> ERROR:  relation "am" does not exist
> LINE 1: SELECT content FROM am ^QUERY:  SELECT content FROM amCONTEXT:  
> PL/pgSQL function "foo" line 2 at RETURN QUERY
>
> SQL Protect will make above message something like given below:
> ERROR:  SQLPROTECT: Illegal Query: relations
>

it is different view on security. When you have not a security gap,
then is irelevant if somebody has unlimited number of trials. SQL
Protect is "security by obscurity" - a logout can be a good sign for
blind injection.

well usage of quote_ident and quote_literal is a perfect protection
against sql injection. Wrong query doesn't mean a problem. Problem is
when attacker can change a semantic of SQL query.

Pavel

> Which stops user guessing relation.
>
> Thanks & Regards,
> Vibhor Kumar
> EnterpriseDB Corporation
> The Enterprise PostgreSQL Company
> vibhor.ku...@enterprisedb.com
> Blog:http://vibhork.blogspot.com
>
>

-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Reply via email to