Quick Links

Re: Protection from SQL injection

From:	Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To:	"Thomas Mueller" <thomas(dot)tom(dot)mueller(at)gmail(dot)com>
Cc:	pgsql-sql(at)postgresql(dot)org
Subject:	Re: Protection from SQL injection
Date:	2008-04-26 17:05:14
Message-ID:	12890.1209229514@sss.pgh.pa.us
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-sql

"Thomas Mueller" <thomas(dot)tom(dot)mueller(at)gmail(dot)com> writes:
> SET ALLOW_LITERALS NONE;

I think you missed April Fool's Day...

This is just silly, as it makes life impossibly painful for users
(constants are hardly a useless part of SQL) and it doesn't really
plug any holes. As an example:

select * from tab where intcol = intcol; delete from tab;

contains no literals and yet the delete is very probably injected.

regards, tom lane

In response to

Protection from SQL injection at 2008-04-26 16:32:35 from Thomas Mueller

Responses

Fwd: Protection from SQL injection at 2008-04-26 18:16:56 from Thomas Mueller

Browse pgsql-sql by date

	From	Date	Subject
Next Message	Jaime Casanova	2008-04-26 18:16:10	Re: Protection from SQL injection
Previous Message	Thomas Mueller	2008-04-26 16:32:35	Protection from SQL injection