Re: Protection from SQL injection

From: Alvaro Herrera <alvherre(at)commandprompt(dot)com>
To: darrenr(at)fastmail(dot)net
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, ajs(at)commandprompt(dot)com, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Protection from SQL injection
Date: 2008-05-02 14:53:58
Message-ID: 20080502145358.GC2320@alvh.no-ip.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Darren Reed wrote:

> Because interacting with the database is always through an action
> that you do and if you're being half way intelligent about it, you
> are always checking that each action succeeded before going on to
> the next.

Hmm, it won't be pretty for the drivers that do PQexec("COMMIT; BEGIN").
The driver will think that it's in a transaction when in fact the second
command in the string has been ignored, and so it's not ...

--
Alvaro Herrera http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Michael Meskes 2008-05-02 15:01:39 Re: ecpg issue - not sending datatype to the backend
Previous Message Tom Lane 2008-05-02 14:52:36 Re: Protection from SQL injection