Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.databases.postgresql > #851

Re: plpgsql function SQL injection vulnerability?

Show all headers | View raw

George Neuner <gneuner2@comcast.net> wrote:
> This particular use is safe: the 're' argument to the function is
> passed as a parameter to the ~* regex operator in a statc query ...
> the contents of the 're' string can't escape the operator's scope.

Okay, thanks, I suspected that.

> Static queries that take parameters mostly are immune to injection. It
> is possible to inject bogus data which will cause the query to fail or
> return the wrong results ... but the query using parameters can't be
> rewritten so as to do something completely different.

Understood.

> Injection is much more a concern with dynamic queries: e.g., the query
> is provided as a function argument, or is constructed by concatenating
> strings that include function arguments, and then is run using
> EXECUTE.  Sometimes you have no choice[*] but most queries can be
> written safely using parameters.  Dynamic queries more often are the
> result of programmer laziness than of real necessity.

Thanks for the info and have a great weekend!

Best regards,
Unto Sten

Back to comp.databases.postgresql | Previous | Next — Previous in thread | Find similar

Thread

plpgsql function SQL injection vulnerability? sten.unto@gmail.com (Unto Sten) - 2018-10-25 17:11 +0000
  Re: plpgsql function SQL injection vulnerability? George Neuner <gneuner2@comcast.net> - 2018-10-26 00:47 -0400
    Re: plpgsql function SQL injection vulnerability? Laurenz Albe <laurenz@nospam.pn> - 2018-10-26 12:47 +0000
      Re: plpgsql function SQL injection vulnerability? sten.unto@gmail.com (Unto Sten) - 2018-10-26 19:06 +0000
    Re: plpgsql function SQL injection vulnerability? sten.unto@gmail.com (Unto Sten) - 2018-10-26 19:08 +0000

csiph-web