Is dollar quoting enough to prevent malicious inputs like SQL injection?
For example:
SELECT * FROM mytable WHERE title = $secret$ hack'-- $secret$
where user input is
hack'--
Asked
Active
Viewed 80 times
1 Answers
1
No, of course not, because the hacker could enter a string containing $secret$.
What you suggest goes by the name “security by obscurity” and enjoys ill respect among security experts. For example, it would not work at all with open source software.
Fortunately PostgreSQL and all relevant APIs have functions that make the safe construction of SQL statements simple.
Laurenz Albe
- 209,280
- 17
- 206
- 263
-
Well, the "secret" would be a generated password stored in an environment variable in a server. Could you guide or link "functions that make the safe construction of SQL statements simple"? – Noob Life Aug 23 '21 at 01:27
-
Even if the risk is low, why not play it safe? Each API has its own functions. If you want to use database functions to safely construct an SQL string, use [`format`](https://www.postgresql.org/docs/current/functions-string.html#FUNCTIONS-STRING-FORMAT). – Laurenz Albe Aug 23 '21 at 02:19