On Tue, Apr 29, 2008 at 01:37:37PM +0200, Thomas Mueller wrote: > > any literal (i.e. not just strings) can be quoted, think of dates in > > queries. > > The problem is not only quotes. The problem is all kinds of user > input. For example: sql = "SELECT * FROM ORDERS WHERE ORDER_ID = " + > orderId; This is not a problem if orderId is a number. But what if > it's a String? For example "1 AND (SELECT * FROM USERS WHERE > NAME='admin' AND PASSWORD LIKE 'm%')". An attacker could then retrieve > the admin password quite quickly.
In other words, your programmer was stupid. And your example doesn't work because no matter what the string is it can't return anything other than rows from the orders table. If you're worried about them using semicolons to introduce another query, prepare has prohibited that for a long time already. But as far as I'm concerned, the real killer is that it would make using any interactive query interface impossible. I don't think it's reasonable to include a complete SQL parser into psql just so I can type normal queries. Have a nice day, -- Martijn van Oosterhout <[EMAIL PROTECTED]> http://svana.org/kleptog/ > Please line up in a tree and maintain the heap invariant while > boarding. Thank you for flying nlogn airlines.
signature.asc
Description: Digital signature
