Re: [SECURITY] DoS attack on backend possible

Curt Sampson <cjs@cynic.net>

From: Curt Sampson <cjs@cynic.net>
To: ngpg@grymmjack.com
Cc: pgsql-hackers@postgresql.org
Date: 2002-08-20T11:29:11Z
Lists: pgsql-hackers
On Mon, 19 Aug 2002 ngpg@grymmjack.com wrote:

> $input = "user'name";
> INSERT INTO db (name) VALUES ('$input');
>
> will fail because the ' in the input needs to be escaped with a
> backslash.

It will fail because you're doing this a very, very, very bad way.
Why rewrite this kind of stuff when the vendor has already made
correct code available?

    PreparedStatement stmt = connection.prepareStatement(
	"INSERT INTO db (name) VALUES (?)");
    stmt.setString("user'name");
    stmt.execute();

cjs
-- 
Curt Sampson  <cjs@cynic.net>   +81 90 7737 2974   http://www.netbsd.org
    Don't you know, in this new Dark Age, we're all light.  --XTC