how to create a function that runs a dynamic query on PostgreSql that is saved from SQL Injection attacks

Hello,

I have a dynamic query on a postgresql function. The where clause is generated at the application level (Java function) and passed-on as a parameter to the postgresql function. The where clause is based on values passed on a webform for a drilldown object on an online store.

I tested the where clause and noticed that I was able to inject extract sql at the end of the where clause. postgresql ran the sql without any problems. But, this is a vulnerability.

How can I overcome this issue?

Thanks,
vielkacarolina1239Asked:
Who is Participating?
 
lenordisteConnect With a Mentor Commented:
this article is quite thorough about sql injection issues and should give you a good idea of what to watch out for:
http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx

also, you may want to check out PreparedStatements, since they take care of the problem most of the time:
http://www.postgresql.org/docs/8.1/interactive/sql-prepare.html

0
 
lenordisteConnect With a Mentor Commented:
on a side note, if you are interested in security related issues, OWASP is a good place to look for info. There's even a small article about SQL injection in java:
http://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java
0
 
vielkacarolina1239Author Commented:
Hello,

What I am trying to protect is a dynamic query on a postgresql function. Please see code snipped sample. The commented select statement is a dangereous one. How can I protect against this. Also, php has a scape method called mysql_real_escape_string() to scape query strings. Does Java have a scape method for sql queries?
CREATE TYPE testDrilldowntype AS
("Property1" character varying(50),  "PropertyVal1" character varying(200),  
  "Property3" character varying(50),  "PropertyVal3" character varying(200)
);

CREATE OR REPLACE FUNCTION func_getdrilldownbywhereclause2(drilldownwhereclause character varying)
  RETURNS SETOF testdrilldowntype AS
$BODY$  

DECLARE whereClause character varying;
DECLARE	queryStr character varying;

DECLARE s integer;

DECLARE r testDrilldowntype;

BEGIN

	DROP TABLE IF EXISTS drillDownTbl;

	CREATE TEMPORARY TABLE drillDownTbl
	(  "Property1" character varying(50),  "PropertyVal1" character varying(200),             
           "Property3" character varying(50),  "PropertyVal3" character varying(200));

        queryStr := 'insert into drillDownTbl("Property1", "PropertyVal1", "Property3",  "PropertyVal3") ' ||
			'select               "Property1", "PropertyVal1", "Property3",  "PropertyVal3"  ' ||
                        'from "ItemDetails1" ' ||
			'join "Items" ' ||
                           'on "Items"."ItemIDInternal"  = "ItemDetails1"."ItemIDInternal" ' ||                    
			'where ' || 
			$1;
        	
	EXECUTE queryStr;
	
	FOR r IN SELECT * FROM drillDownTbl
	LOOP
		RETURN NEXT r; -- return current row of SELECT
	END LOOP;


END;

$BODY$
  LANGUAGE 'plpgsql' VOLATILE
  COST 1000
  ROWS 1000;



/*

select * from func_getdrilldownbywhereclause2('"Items"."ItemIDInternal" = 1; INSERT INTO "CustomerLogin"("CustomerID", "ClientSessionID", "LastLoginDate") VALUES (1, ''asdfasdf'', now())')

*/

Open in new window

0
 
lenordisteCommented:
0
 
lenordisteConnect With a Mentor Commented:
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.