By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
448,502 Members | 1,204 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 448,502 IT Pros & Developers. It's quick & easy.

Illegal characters in database names, table names, user names...

P: n/a
I'm developing a simple proof-of-concept Web application, more as a
personal programming exercise than anything else, that presents the user
with a login form where they can type in a database name, username, and
password. I then present them with a text field to type in SQL queries,
and hand back a nicely-formatted HTML table with the result of their
queries. Basically, just a programming exercise to get my feet wet with
the Web application framework I'm using (a Python-based framework called
Quixote).

As I was writing the database-connection code, I got to thinking about
security. How do I prevent the user from entering something like
"eviluser ; drop database template1" in the username field?

One way to go about it, I thought, would be to examine the dbname,
username, and/or password fields and make sure that they contain only
legal characters. But I couldn't find a reference in the PostgreSQL
documentation to tell me which characters are considered legal or
illegal in database names, usernames, or table names. And what about
passwords? There may be all sorts of punctuation in there.

Is there a list of illegal characters somewhere? What other methods
would you recommend to validate user input before I send it off to
PostgreSQL?

--
Robin Munn
rm***@pobox.com
Nov 23 '05 #1
Share this question for a faster answer!
Share on Google+

This discussion thread is closed

Replies have been disabled for this discussion.