Slashdot Mirror

← Back to Stories (view on slashdot.org)

PostgreSQL 8.1.4 Released to Plug Injection Hole

Posted by ryuzaki0 on from the good-little-dutch-boy dept.

alurkar writes to tell us that PostgreSQL released version 8.1.4 today in order to combat a security flaw allowing a SQL injection attack. From the article: "The vulnerability affects PostgreSQL servers exposed to untrusted input, such as input coming from Web forms, in conjunction with multi-byte encodings like (Shift-JIS (SJIS), 8-bit Unicode Transformation Format (UTF-8), 16-bit Unicode Transformation Format (UTF-16), and BIG5. In particular, Berkus says that applications using 'ad-hoc methods to "escape" strings going into the database, such as regexes, or PHP3's addslashes() and magic_quotes' are particularly unsafe. 'Since these bypass database-specific code for safe handling of strings, many such applications will need to be re-written to become secure.'"

3 of 162 comments (clear)

  1. Re:This is why... by jrockway · · Score: 5, Informative

    It especially bugs me because it's easier to Do Things Right. The DBI manpage for perl doesn't even mention the sloppy way that nearly everyone uses... but they do it anyway! In nearly every database application / script I look at, people do things like $dbh->execute("SELECT * FROM foo WHERE bar=$bar AND baz=$baz") after "escaping" $bar and $baz. No, no, no!

    It's much easier to prepare a query handle and then execute it as needed:

    $sth = $dbh->prepare("SELECT a,b,c FROM foo WHERE bar=? and baz=?")
    $sth->execute($bar, $baz);


    Not only is it more efficient (if you're going to use the same query twice), it's secure by default. Let the database programmers handle the Hard Stuff (parsing) so that you can concentrate on your application.

    Speaking of which, is there a way to do this in PHP? I've never seen a PHP script that did anything like this (which is probably why bugtraq is 99% php SQL injection holes).

    --
    My other car is first.
  2. Plug Injection Hole by fudgefactor7 · · Score: 5, Funny

    heh, heh, heh... I'll plug your injection hole, baby!

  3. On the bright side... by quantum+bit · · Score: 5, Interesting

    PostgreSQL defaults to SQL-ASCII encoding, which is unaffected by this particular attack. Only clients which connect using a multibyte encoding would be affected.

    Actually, this really isn't a vulnerability in the database server itself -- the update just intentionally breaks certain badly written applications in order to protect them from themselves. If PHP's addslashes() ends up creating valid multibyte characters that produce unexpected behavior, that's really PHP's problem -- Postgres is just doing what it's told.