Re: [SECURITY] DoS attack on backend possible
Curt Sampson <cjs@cynic.net>
From: Curt Sampson <cjs@cynic.net>
To: ngpg@grymmjack.com
Cc: pgsql-hackers@postgresql.org
Date: 2002-08-20T11:29:11Z
Lists: pgsql-hackers
On Mon, 19 Aug 2002 ngpg@grymmjack.com wrote:
> $input = "user'name";
> INSERT INTO db (name) VALUES ('$input');
>
> will fail because the ' in the input needs to be escaped with a
> backslash.
It will fail because you're doing this a very, very, very bad way.
Why rewrite this kind of stuff when the vendor has already made
correct code available?
PreparedStatement stmt = connection.prepareStatement(
"INSERT INTO db (name) VALUES (?)");
stmt.setString("user'name");
stmt.execute();
cjs
--
Curt Sampson <cjs@cynic.net> +81 90 7737 2974 http://www.netbsd.org
Don't you know, in this new Dark Age, we're all light. --XTC