Yeah, would Python protect you from that ? I am using Groovy on Grails and not sure how these things work here. Most of the time I use GORM to do my queries, but now I am stuck with SQL because of fulltext search with Postgres. Perhaps there is some similiar things in Groovy to run, I will check into that. / Moe
On Thu, Jan 8, 2009 at 5:20 PM, Christopher Swingley <cswin...@gmail.com>wrote: > Greetings! > > > Wed, Jan 7, 2009 at 8:07 PM, Mohamed <mohamed5432154...@gmail.com> > > > Hi, I am wondering whether or not there exists any built in > > > function for making sure a query/textinput is not harmful or one > > > that escapes them. If not, what kind of things should I watch out > > > for ? > > > > * Reg Me Please <regmeple...@gmail.com> [2009-Jan-08 00:20 AKST]: > > Maybe I'm missing the point, but have read about quote_ident() and > > quote_literal() at chapter 9.4 "String Functions and Operators"? > > quote_literal() does seem like a good choice for getting the quoting > correct. As far as protecting yourself from SQL injection attacks, you > may want to look at the options available in the programming language > you are using to get user input. In Python, for example, you can run > queries as follows: > > parameters = (12, "bar", True) > query = "INSERT INTO foo VALUES (%d, %s, %s);" > cursor.execute(query, parameters) > cursor.commit() > > Python fills the '%X' fields with the parameters after verifying they > are safe. Probably best to test how much protection this offers. > > I believe the risk isn't so much a question of quoting or special > characters, but carefully crafted input variables. For example, what if > the second parameter was: > > "'bar', True); DELETE FROM foo; INSERT INTO foo VALUES (1, 'bar'," > > Cheers, > > Chris > -- > Christopher S. Swingley > http://swingleydev.com/ > <cswin...@gmail.com> > > > -- > Sent via pgsql-general mailing list (pgsql-general@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-general >
