Hi folks, Peter Eisentraut wrote:
PE> If you use prepared statements (the details of which vary by >> PE> programming language), you should be quite safe. Peter - thanks for the suggestion. You are right: a poorly designed function might simply concatenate the injected code - I hadn't really thought it through. The key seems to be to treat the unsafe string as a value so it can't leak out into the statement, and a parameterised prepared statement would do this effectively, as you suggest. Very elegant... Bill Moran wrote: BM> To protect yourself from SQL injections, just pass all your data through BM> PQescapeString() I'm no expert, but the papers I have been reading suggest that the usual hygene advice such as don't display DB error messages and escape unsafe strings doesn't cover all types of attack. See, for example, this: http://www.net-security.org/article.php?id=571 But so far as I can see, Peter's suggestion should provide a workable robust solution. So thanks again! ------------------ Geoff Caplan Vario Software Ltd (+44) 121-515 1154 ---------------------------(end of broadcast)--------------------------- TIP 2: you can get off all lists at once with the unregister command (send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])
