Forum OpenACS Q&A: Anti SQL Injection Example (Link)

Collapse
1: Anti SQL Injection Example (Link)
Posted by Nima Mazloumi on 01/18/05 05:52 PM
Hi all,

found this sample for PHP to prevent SQL injection. Do we have something similar for any field that is entered in ad_form?

http://www.phpfreaks.com/quickcode/code/203.php

Greetings,
Nima

Collapse
2: Re: Anti SQL Injection Example (Link) (response to 1)
Posted by Dirk Gomez on 01/18/05 06:13 PM
The Oracle version of OpenACS uses bind variables and is not vulnerable to SQL injection attacks: the reason is that the SQL is parsed without *any* user input at all.

Can someone explain how this works in the PostgreSQL version?

Collapse
3: Re: Re: Anti SQL Injection Example (Link) (response to 2)
Posted by Malte Sussdorff on 01/18/05 06:44 PM
To my knowledge exactly the same way.
Collapse
4: Re: Anti SQL Injection Example (Link) (response to 1)
Posted by Dave Bauer on 01/19/05 04:57 PM
In Postgresql the db_* commands extract the "bind" variables and SQL quote them automatically. In the PG driver itself the [] charactaers are escaped as well for safety.

This means that the effective security of PostgreSQL is the same as Oracle.

This is done at the database api layer.

In addition ad_page_contract has filters and validation features to check input. ad_form and the form builder also have validation features for input.