how to create a function that runs a dynamic query on PostgreSql that is saved from SQL Injection attacks
Posted on 2010-09-11
I have a dynamic query on a postgresql function. The where clause is generated at the application level (Java function) and passed-on as a parameter to the postgresql function. The where clause is based on values passed on a webform for a drilldown object on an online store.
I tested the where clause and noticed that I was able to inject extract sql at the end of the where clause. postgresql ran the sql without any problems. But, this is a vulnerability.
How can I overcome this issue?