Skip site navigation (1) Skip section navigation (2)

Re: Protection from SQL injection

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Martijn van Oosterhout <kleptog(at)svana(dot)org>
Cc: Andrew Sullivan <ajs(at)commandprompt(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Protection from SQL injection
Date: 2008-04-30 21:33:38
Message-ID: 23282.1209591218@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-hackers
Martijn van Oosterhout <kleptog(at)svana(dot)org> writes:
> void PQexec()
> {
>   die();
> }

Actually disabling PQexec seems like a pretty poor decision; it breaks
working code to no purpose.  Also, doing it on the client side means
you're at risk of some clients being secure and some not.  I thought
what we were discussing was a server-side GUC parameter that would
disallow more than one SQL statement per PQexec.

			regards, tom lane

In response to

Responses

pgsql-hackers by date

Next:From: Alvaro HerreraDate: 2008-04-30 22:09:05
Subject: Re: [HACKERS] Proposed patch - psql wraps at window width
Previous:From: Tom LaneDate: 2008-04-30 21:03:58
Subject: Re: TidScan needs handling of a corner cases

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group