On Wed, Jan 09, 2002 at 04:01:14AM -0800, David D.W. Dowey wrote: > Actually the more I look at this, the more I think it would be better to log > an entry about unescaped chars to the system log and deny the query. At > least until the patch > (http://cert.uni-stuttgart.de/doc/postgresql/escape/postgresql-escape-2001-0 > 9-04.diff) has been added to the pgsql mainstream package. > > I can return an error message stating why the query was denied. This would > also force the developer to monitor their code as well. > > Like the alert says, this would put the responsibility on the developer. The > PAM module should just check for a correctly formed string complete with > security check. > > Any thoughts? I like it, define a set of allowed SQL characters (this must be in an ANSI standard doc somewhere) and deny everything else, that way you're always covered for any suspicious characters..
Regarding the sponsoring, I don't have access to a Debian machine at the moment, and I don't want to put my private key on another machine, so it may be a problem unless Debian works in FreeBSD's binary emulation mode :) Lets take further discussion off the list? Regards, Leon.
