Hi folks,
I'm new to Postgres and trying to get up to speed on the security
issues. There seems to be remarkably little Postgres specific stuff on
preventing SQL injection attacks.
Most of the online literature is on MS SQL Server. There, the
consensus seems to be that the range of potential atta
On Fri, Jul 16, 2004 at 10:03:56AM +0200,
Najib Abi Fadel <[EMAIL PROTECTED]> wrote
a message of 37 lines which said:
> Is there any documentation explaning the C functions (syntax) used
> in postgres.h library ??
http://www.postgresql.org/docs/7.4/static/libpq.html
--
On Mon, Jul 19, 2004 at 12:33:40AM -0400, Tom Lane wrote:
> Chuck Bearden <[EMAIL PROTECTED]> writes:
> > I am building from a freshly downloaded tar.gz of 7.4.3. The machine is
> > a 4CPU Dell with an unsupported RH 9 install.
>
> > When I ran the regression tests, two failed: horology and stats
In the course of creating a new PG 7.4.3 server, I chose UTF-8 as my
locale. I now find that sorting is very different with that setting: It
appears, through trial and error, that all non-alphanumeric characters
are completely ignored by ORDER BY. Thus, traditional tricks like
prefixing a name
Hello,
I know this is a bit late, but, can anyone please help!!??? does anyone at
all have any idea how I might be able to get back some of my data from the
website that was hosted at pghoster before they vanished? (I know, I should
have backed up more often, but I unfortunately started to get a
Geoff Caplan wrote:
> I'm new to Postgres and trying to get up to speed on the security
> issues. There seems to be remarkably little Postgres specific stuff
> on preventing SQL injection attacks.
If you use prepared statements (the details of which vary by programming
language), you should be qu
Geoff Caplan <[EMAIL PROTECTED]> wrote:
> Hi folks,
>
> I'm new to Postgres and trying to get up to speed on the security
> issues. There seems to be remarkably little Postgres specific stuff on
> preventing SQL injection attacks.
>
> Most of the online literature is on MS SQL Server. There, the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
A Bruce wrote:
| hello,
|
| I am attempting to convert a oracle database to postgresql and I am having
| some problems creating a constraint across multiple columns which are a
| mixture of case insensitive and case sensitive.
|
| The original oracle da
On Tue, 20 Jul 2004, John Gunther wrote:
> In the course of creating a new PG 7.4.3 server, I chose UTF-8 as my
> locale. I now find that sorting is very different with that setting: It
As a note, UTF-8 is not a locale. My guess is that you are actually using
something like en_XX.UTF-8 (for some
Hi folks,
Peter Eisentraut wrote:
PE> If you use prepared statements (the details of which vary by >>
PE> programming language), you should be quite safe.
Peter - thanks for the suggestion. You are right: a poorly designed
function might simply concatenate the injected code - I hadn't really
tho
John Gunther <[EMAIL PROTECTED]> writes:
> In the course of creating a new PG 7.4.3 server, I chose UTF-8 as my
> locale.
UTF-8 is a character set encoding, not a locale. I suspect you may
have chosen en_US or something like that as your locale.
> I now find that sorting is very different with
Geoff Caplan <[EMAIL PROTECTED]> wrote:
> BM> To protect yourself from SQL injections, just pass all your data through
> BM> PQescapeString()
>
> I'm no expert, but the papers I have been reading suggest that the
> usual hygene advice such as don't display DB error messages and escape
> unsafe str
Bill Moran <[EMAIL PROTECTED]> wrote:
>
[snip]
>
> Simply put:
> 1) If the untrusted value is a string, using a proper escape sequence should
>make it safe.
> 2) If the untrusted value is not a string, then it should be tested for
>proper value (i.e. if it should be a number, it should be
Bill Moran <[EMAIL PROTECTED]> writes:
> Geoff Caplan <[EMAIL PROTECTED]> wrote:
>
> > Hi folks,
> >
> > I'm new to Postgres and trying to get up to speed on the security
> > issues. There seems to be remarkably little Postgres specific stuff on
> > preventing SQL injection attacks.
> >
> > Mo
Bill Moran wrote:
>
>
>Simply put:
>1) If the untrusted value is a string, using a proper escape sequence
should
> make it safe.
>
>
in pgsql (and mysql) you can escape almost everything.
update table set a = '5' is corrent, even is column a is integer type.
You can't escape the null value.
15 matches
Mail list logo
