Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Am I safe against SQL injection

Tags:

security

sql

sql-injection

postgresql

I would like to know if I'm safe against SQL injection when I use something like that with PostgresSQL:

CREATE or REPLACE FUNCTION sp_list_name( VARCHAR )
RETURNS SETOF v_player AS '
   DECLARE
      v_start_name ALIAS FOR $1;
      r_player  v_player%ROWTYPE;
      v_temp VARCHAR;
   BEGIN
      v_temp := v_start_name || ''%'';
      FOR r_player IN
         SELECT first_name, last_name FROM v_player WHERE last_name like v_temp
      LOOP
         RETURN NEXT r_player;
      END LOOP;
      RETURN;
   END;
' LANGUAGE 'plpgsql' VOLATILE;

I want to use this function to list player's name beginning with a letter.

select * from sp_list_name( 'A' );

gives me players with last name beginning with A.

I tried to inject sql with

select * from sp_list_name( 'A; delete from t_player;--' );
select * from sp_list_name( '''; delete from t_player;--' );

Am I safe ?

Which case I could be injected ?

Regards

like image 600
Luc M Avatar asked Dec 05 '22 06:12

Luc M

1 Answers

In terms of your procedure you seem safe as the variable in the SP won't be expanded into code, but you can still expose yourself if you don't use a parameterized query like "SELECT * FROM sp_list_name(?);" in your appplication code. Something like "SELECT * FROM sp_list_name('$start_name');" could be subverted by a user passing a start name of "');delete from t_player where last_name NOT IN ('". So use a parameterized query or sanity check your inputs in your program.

NB: To others, please note that a variable in a stored procedure will not expand into code even if it contains a ' or ;, (excluding passing it to EXECUTE, for which you would use quote_literal, not hand-rolled replace functions) so replacing ; or ' is totally unnecessary (in the stored procedure, the application using it is a different story, of course) and would prevent you from always finding the "tl;dr" or "O'Grady" teams.

Leo Moore, Karl, LFSR Consulting: v_temp_name in the stored procedure will NOT be expanded into code in the SP (no EXECUTE), the check would need to be done n the application, not the SP (or the OP could just use a parameterized query in their app code, instead). What others are suggesting is similar to worrying about 

my $bar = "foo; unlink('/etc/password');"; 
my $baz = $bar;

actually running the unlink in the absence of an eval.

like image 97
8 revs, 2 users 94% Avatar answered Dec 11 '22 08:12

8 revs, 2 users 94%
Sign in to Comment

Related questions

What exactly does "(X row(s) affected)" mean?
Create interval using a column value postgresql
Oracle SQL: Is ORDER BY non unique field deterministic?
Replace multiple repeating character to one
Convert from varchar into date in SQL Server
Why this sql is correct? (sql injection)
Add single quotes to results in a column from a SQL query
PostgreSQL getting a year from date type as integer
String_agg for multiple columns
MySQL JSON_OBJECT instead of GROUP_CONCAT
convert Postgres geometry format to WKT
How to count a feature x if y condition is true (bigquery)
FIND_IN_SET with multiple value
Laravel Reset Database after Test
Golang SQL query variable substituion
How to join by closest timestamp in BigQuery?
SQL Server 2000 Function for record created datetime
Best way to make double insert
Dealing with "hypernormalized" data
Conditional SELECT of a column

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!