I am protected against SQL injection

Question

I am protected against SQL injection

I would like to know if I can be safe from SQL injection when I use something similar with PostgresSQL:

CREATE or REPLACE FUNCTION sp_list_name( VARCHAR )
RETURNS SETOF v_player AS '
   DECLARE
      v_start_name ALIAS FOR $1;
      r_player  v_player%ROWTYPE;
      v_temp VARCHAR;
   BEGIN
      v_temp := v_start_name || ''%'';
      FOR r_player IN
         SELECT first_name, last_name FROM v_player WHERE last_name like v_temp
      LOOP
         RETURN NEXT r_player;
      END LOOP;
      RETURN;
   END;
' LANGUAGE 'plpgsql' VOLATILE;

I want to use this function to display the name of a player starting with a letter.

select * from sp_list_name( 'A' );

gives me players with a last name starting with the letter A.

I tried to enter sql

select * from sp_list_name( 'A; delete from t_player;--' );
select * from sp_list_name( '''; delete from t_player;--' );

I'm safe?

In which case could I be introduced?

Hello

+3

security sql sql-injection postgresql

Luc m Mar 09 '09 at 20:35

source share

7 answers

№ 1 SQL-: , -/-, / .

, , .

+6

Jan Jungnickel 09 . '09 20:40

SQL Injection - White Listing * - , .

- , , , . ASCII, escape-, .

, -, . .

* ( )

+4

Gavin Miller 09 . '09 22:19

SQL , ( ).

, , . , ..

+1

GvS 09 . '09 20:39

Ref. . , . , SQL-, .. , , , SQL .

, / ( !). , " SQL- , .

, 200 , , -. £ 60k, validate func(), , select, . , / ( ), .

Dev () .

+1

Noelie Dunne 11 . '09 13:05

 v_start_name

. , , .. Chars, Hex. , . "-", , "-" .

Hex SQL Injection,

http://www.arejae.com/blog/sql-injection-attack-using-t-sql-and-hexadecimal.html

http://www.securityfocus.com/infocus/1768

DECLARE
      v_start_name ALIAS FOR $1;
      r_player  v_player%ROWTYPE;
      v_temp VARCHAR;
   BEGIN
      --  new pseudo code here
      if v_start_name has bad chars exit with error message
      -- end pseudo code here
      v_temp := v_start_name || ''%'';
      FOR r_player IN
         SELECT first_name, last_name FROM v_player WHERE last_name like v_temp
      LOOP
         RETURN NEXT r_player;
      END LOOP;
      RETURN;
   END;

-1

Karl 09 . '09 21:57

v_start_name, ";" ..,

v_clean_name VARCHAR;
Select v_clean_name = Replace(v_start_name,';','');

; , SQL-

. PostgresSQL

LFSR Consulting. WhiteList (.. - , ';'), BlackList (.. , SQL- Replace ).

. SQL Injection Attacks

-2

Leo Moore 09 . '09 22:01

MkV · Accepted Answer · 2009-03-09T21:43:14+0000

, SP , , "SELECT * FROM sp_list_name(?);" , - "SELECT * FROM sp_list_name('$start_name');" , " ');delete from t_player where last_name NOT IN ('". .

NB:. , , ';, ( EXECUTE, quote_literal, replace), ; " " ( , , , , ) "tl;dr" "O'Grady".

Leo Moore, Karl, LFSR Consulting: v_temp_name SP ( EXECUTE), , SP ( OP ). , ,

my $bar = "foo; unlink('/etc/password');"; 
my $baz = $bar;

unlink eval.

I am protected against SQL injection

More articles: