Noob Life
Reputation: 580
Is dollar-quoting in Postgres enough to escape malicious inputs?
Is dollar quoting enough to prevent malicious inputs like SQL injection?
For example:
SELECT * FROM mytable WHERE title = $secret$ hack'-- $secret$
where user input is
hack'--
Upvotes: 0
Views: 130
Answers (1)
Laurenz Albe
Reputation: 246598
No, of course not, because the hacker could enter a string containing $secret$.
What you suggest goes by the name “security by obscurity” and enjoys ill respect among security experts. For example, it would not work at all with open source software.
Fortunately PostgreSQL and all relevant APIs have functions that make the safe construction of SQL statements simple.
Upvotes: 1
Related Questions
- String literals and escape characters in postgresql
- Has anyone ever discussed adding unquote syntax to PostgreSQL dollar-quoted strings?
- PostgreSQL Dollar-Quoted Strings Constants to Prevent SQL Injection
- Are there any escaping syntax for psql variable inside PostgreSQL functions?
- Is Checking for String Quotes a Reliable Form of SQL Injection Preventing?
- Is there a mechanism in SQL to escape a variable?
- Can I protect against SQL injection attacks by wrapping SQL in PostgreSQL functions?
- Is this actually open to SQL injection?
- PostgreSQL: nonstandard use of escape string
- Am I safe against SQL injection