- Original Message -
From: Richard Huxton [EMAIL PROTECTED]
To: Denis [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Monday, December 22, 2003 7:48 PM
Subject: Re: [SQL] how to preserve \n in select statement
On Monday 22 December 2003 09:37, Denis wrote:
Hi Richard..
If your users
On Saturday 20 December 2003 17:58, Matt Van Mater wrote:
I readily admit that I didn't read much into it, but I think you are
mistaken. If you look at the following links you will see that postgresql
definitely had a vulnerability that allowed sql injection through the use
of escape
- Original Message -
From: Richard Huxton [EMAIL PROTECTED]
To: Matt Van Mater [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Monday, December 22, 2003 2:34 PM
Subject: Re: [SQL] how to preserve \n in select statement
On Saturday 20 December 2003 17:58, Matt Van Mater
On Monday 22 December 2003 09:37, Denis wrote:
Hi Richard..
If your users are required to fire only SELECT and no DML, you can do the
following:
BEGIN;
execute the statements given by user
ROLLBACK;
This will not affect your SELECT and also if any malicious user gives
DELETE statement,
Because you are using an input syntax that requires that quotes and
backslashes be escaped. There are other input methods available that
don't require this, but they have disadvantages of their own. In
particular, you have to separate data from SQL command if you want a
no-escape-processing
Matt Van Mater [EMAIL PROTECTED] writes:
In particular, you have to separate data from SQL command if you want a
no-escape-processing behavior for data.
right, I was looking for the alternate input methods that you allude to. I
have been unable to find an example of exactly how to do this.
I have a table that has a few text value types, and I enter a bunch of text
with '\n' representing a newline. When I select the records from that
table, postgresql 7.3 represents those \n as newlines and actually outputs
the a newline rather than as a \n as entered. I want to be able to get
PROTECTED]
Subject: Re: [SQL] how to preserve \n in select statement
Date: Fri, 19 Dec 2003 08:43:59 -0700
What are you using to enter and retrieve the data?
Either escape the data before you put it in the database or when you retieve
it, whichever gives you the results you are looking for.
Matt Van
On Fri, Dec 19, 2003 at 10:06:28 -0500,
Matt Van Mater [EMAIL PROTECTED] wrote:
I have a table that has a few text value types, and I enter a bunch of text
with '\n' representing a newline. When I select the records from that
table, postgresql 7.3 represents those \n as newlines and
of that
functionality.
Original Message Follows
From: Bruno Wolff III [EMAIL PROTECTED]
To: Matt Van Mater [EMAIL PROTECTED]
CC: [EMAIL PROTECTED]
Subject: Re: [SQL] how to preserve \n in select statement
Date: Fri, 19 Dec 2003 15:26:07 -0600
On Fri, Dec 19, 2003 at 10:06:28 -0500,
Matt Van Mater [EMAIL
Matt Van Mater [EMAIL PROTECTED] writes:
I just don't see why pgsql can't return my data exactly as I entered
it.
Because you are using an input syntax that requires that quotes and
backslashes be escaped. There are other input methods available that
don't require this, but they have
11 matches
Mail list logo