Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×

PostgreSQL 8.1.4 Released to Plug Injection Hole 162

Posted by ScuttleMonkey from the good-little-dutch-boy dept.
alurkar writes to tell us that PostgreSQL released version 8.1.4 today in order to combat a security flaw allowing a SQL injection attack. From the article: "The vulnerability affects PostgreSQL servers exposed to untrusted input, such as input coming from Web forms, in conjunction with multi-byte encodings like (Shift-JIS (SJIS), 8-bit Unicode Transformation Format (UTF-8), 16-bit Unicode Transformation Format (UTF-16), and BIG5. In particular, Berkus says that applications using 'ad-hoc methods to "escape" strings going into the database, such as regexes, or PHP3's addslashes() and magic_quotes' are particularly unsafe. 'Since these bypass database-specific code for safe handling of strings, many such applications will need to be re-written to become secure.'"
This discussion has been archived. No new comments can be posted.

PostgreSQL 8.1.4 Released to Plug Injection Hole More

PostgreSQL 8.1.4 Released to Plug Injection Hole

Comments Filter:

  • Re:This is why... (Score:5, Insightful)

    by jrockway ( 229604 ) * <jon-nospam@jrock.us> on Tuesday May 23, 2006 @10:43PM (#15391274) Homepage Journal
    > didn't realize that dates of the form 2006-05-01 needed quotes

    There's a difference between fundamentally flawed thinking and a bug. Someone found this bug, it was fixed in 30 seconds, and suddenly everyone using DBI had a more robust solution. Software's never going to be "perfect", but it's likely that a group of people trying to solve a problem in general is going to have a better product than something you came up with after lunch :)

  • Validate, Validate AND Validate (Score:5, Insightful)

    by Joe U ( 443617 ) on Tuesday May 23, 2006 @11:06PM (#15391375) Homepage Journal
    Multi-Layered validation is the only way to go.

    Client validation is only useful for round-trip bandwidth reduction, it's nice to have, but not secure in any way. It can stop the occasional accidental bad input. (e.g. entering strings when numerical data is called for, pop up a message box telling you not to do that), it won't stop anyone really interested in corrupting your data.

    The app server should be validating everything being posted to it. Is this string too long, too short, not a string, wrong encoding, etc...

    The DB server should ALSO be validating everything coming from the app server. Don't trust your application server, it could have a bug, it could have been hacked, it might not be your app server, who knows. Strict stored procedures with no r/w access to tables is a really the only way to go. (To: My Co-Workers, Using select * queries and running as dbo and/or sa is usually a sign that you're not doing it right)

    Yes, it's paranoid thinking, yes, it's more work and yes, there is a slight performance hit, but it is secure and it's damn hard to break.

  • The Prepare Command (Score:3, Insightful)

    by Qzukk ( 229616 ) on Tuesday May 23, 2006 @11:19PM (#15391423) Journal
    ... because counting out 500 question marks to figure out why the hell your parameters don't match up is MUCH more fun than being paged at 3AM because the entire production database was wiped out.

Slashdot Top Deals

"Engineering without management is art." -- Jeff Johnson

Close