Thread: Protection from SQL injection
View Single Post

   
  #26 (permalink)  
Old 05-02-2008, 05:06 AM
Andrew Sullivan
 
Posts: n/a
Default Re: Protection from SQL injection
[I know, I know, bad form]

On Tue, Apr 29, 2008 at 04:55:21PM -0400, Andrew Sullivan wrote:
> thinking they have to worry about that area of security at all. I
> think without a convincing argument that the proposal will even come
> close to covering most SQL injection cases, it's a bad idea.

To be perfectly clear, I also think that the reverse is true: if a
fairly complete design was demonstrated to be possible such that it
covered just about every case, I'd be all for it. (I sort of like the
suggestion up-thread, myself, which is to have a GUC that disables
multi-statement commands. That'd probably cover a huge number of
cases, and combined with some sensible quoting rules in client
libraries, would quite possibly be enough.)

A

--
Andrew Sullivan
ajs@commandprompt.com
+1 503 667 4564 x104
http://www.commandprompt.com/

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Reply With Quote