On Mon, 2004-06-21 at 12:36, Marc Saric wrote:
> I am working on a small Db-project which provides an Webware-based
> HTML-interface to a Postgres-database.

> Forms are managed with help of FormKit.

> Although this is only for Intranet-use, I would like to add a
> Validator,
> which prevents SQL-injection on Db-queries.

> Has anyone tried to write one or an advice, where to look or how to
> tackle this problem?

Hi Marc,

Instead of validating the input, consider simply escaping all potentially
dangerous characters.  PostgreSQL conveniently provides a function to do
this, so all the hard work is done.  If you're using the psycopg adapter,
the function is called 'QuotedString'.  You simply do:

import psycopg

s = get_raw_user_input()
s = psycopg.QuotedString(s)

Now you can use 's' safely in a query.

--
Jason D. Hildebrand
T: 204 775 1212
E: [EMAIL PROTECTED]



-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Webware-discuss mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/webware-discuss

Reply via email to