Forum OpenACS Q&A: Anti SQL Injection Example (Link)

Collapse
Posted by Nima Mazloumi on
Hi all,

found this sample for PHP to prevent SQL injection. Do we have something similar for any field that is entered in ad_form?

http://www.phpfreaks.com/quickcode/code/203.php

Greetings,
Nima

Collapse
Posted by Dirk Gomez on
The Oracle version of OpenACS uses bind variables and is not vulnerable to SQL injection attacks: the reason is that the SQL is parsed without *any* user input at all.

Can someone explain how this works in the PostgreSQL version?

Collapse
Posted by Malte Sussdorff on
To my knowledge exactly the same way.
Collapse
Posted by Dave Bauer on
In Postgresql the db_* commands extract the "bind" variables and SQL quote them automatically. In the PG driver itself the [] charactaers are escaped as well for safety.

This means that the effective security of PostgreSQL is the same as Oracle.

This is done at the database api layer.

In addition ad_page_contract has filters and validation features to check input. ad_form and the form builder also have validation features for input.