Solved

how to create a function that runs a dynamic query on PostgreSql that is saved from SQL Injection attacks

Posted on 2010-09-11
5
693 Views
Last Modified: 2012-05-10
Hello,

I have a dynamic query on a postgresql function. The where clause is generated at the application level (Java function) and passed-on as a parameter to the postgresql function. The where clause is based on values passed on a webform for a drilldown object on an online store.

I tested the where clause and noticed that I was able to inject extract sql at the end of the where clause. postgresql ran the sql without any problems. But, this is a vulnerability.

How can I overcome this issue?

Thanks,
0
Comment
Question by:vielkacarolina1239
  • 4
5 Comments
 
LVL 11

Accepted Solution

by:
lenordiste earned 500 total points
ID: 33654767
this article is quite thorough about sql injection issues and should give you a good idea of what to watch out for:
http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx

also, you may want to check out PreparedStatements, since they take care of the problem most of the time:
http://www.postgresql.org/docs/8.1/interactive/sql-prepare.html

0
 
LVL 11

Assisted Solution

by:lenordiste
lenordiste earned 500 total points
ID: 33654776
on a side note, if you are interested in security related issues, OWASP is a good place to look for info. There's even a small article about SQL injection in java:
http://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java
0
 

Author Comment

by:vielkacarolina1239
ID: 33656048
Hello,

What I am trying to protect is a dynamic query on a postgresql function. Please see code snipped sample. The commented select statement is a dangereous one. How can I protect against this. Also, php has a scape method called mysql_real_escape_string() to scape query strings. Does Java have a scape method for sql queries?
CREATE TYPE testDrilldowntype AS

("Property1" character varying(50),  "PropertyVal1" character varying(200),  

  "Property3" character varying(50),  "PropertyVal3" character varying(200)

);



CREATE OR REPLACE FUNCTION func_getdrilldownbywhereclause2(drilldownwhereclause character varying)

  RETURNS SETOF testdrilldowntype AS

$BODY$  



DECLARE whereClause character varying;

DECLARE	queryStr character varying;



DECLARE s integer;



DECLARE r testDrilldowntype;



BEGIN



	DROP TABLE IF EXISTS drillDownTbl;



	CREATE TEMPORARY TABLE drillDownTbl

	(  "Property1" character varying(50),  "PropertyVal1" character varying(200),             

           "Property3" character varying(50),  "PropertyVal3" character varying(200));



        queryStr := 'insert into drillDownTbl("Property1", "PropertyVal1", "Property3",  "PropertyVal3") ' ||

			'select               "Property1", "PropertyVal1", "Property3",  "PropertyVal3"  ' ||

                        'from "ItemDetails1" ' ||

			'join "Items" ' ||

                           'on "Items"."ItemIDInternal"  = "ItemDetails1"."ItemIDInternal" ' ||                    

			'where ' || 

			$1;

        	

	EXECUTE queryStr;

	

	FOR r IN SELECT * FROM drillDownTbl

	LOOP

		RETURN NEXT r; -- return current row of SELECT

	END LOOP;





END;



$BODY$

  LANGUAGE 'plpgsql' VOLATILE

  COST 1000

  ROWS 1000;







/*



select * from func_getdrilldownbywhereclause2('"Items"."ItemIDInternal" = 1; INSERT INTO "CustomerLogin"("CustomerID", "ClientSessionID", "LastLoginDate") VALUES (1, ''asdfasdf'', now())')



*/

Open in new window

0
 
LVL 11

Expert Comment

by:lenordiste
ID: 33656316
0
 
LVL 11

Assisted Solution

by:lenordiste
lenordiste earned 500 total points
ID: 33656322
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many developers have database experience, but are new to PostgreSQL. It has some truly inspiring capabilities. I have several years' experience with Microsoft's SQL Server. When I began working with MySQL, I wanted a quick-reference to MySQL (htt…
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
Via a live example, show how to setup several different housekeeping processes for a SQL Server.
Viewers will learn how to use the SELECT statement in SQL to return specific rows and columns, with various degrees of sorting and limits in place.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now