Quick Links

Re: Protection from SQL injection

From:	Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To:	Martijn van Oosterhout <kleptog(at)svana(dot)org>
Cc:	Andrew Sullivan <ajs(at)commandprompt(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject:	Re: Protection from SQL injection
Date:	2008-04-30 21:33:38
Message-ID:	23282.1209591218@sss.pgh.pa.us
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

Martijn van Oosterhout <kleptog(at)svana(dot)org> writes:
> void PQexec()
> {
> die();
> }

Actually disabling PQexec seems like a pretty poor decision; it breaks
working code to no purpose. Also, doing it on the client side means
you're at risk of some clients being secure and some not. I thought
what we were discussing was a server-side GUC parameter that would
disallow more than one SQL statement per PQexec.

regards, tom lane

In response to

Re: Protection from SQL injection at 2008-04-30 20:58:34 from Martijn van Oosterhout

Responses

Re: Protection from SQL injection at 2008-05-01 13:13:27 from Andrew Sullivan

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Alvaro Herrera	2008-04-30 22:09:05	Re: [HACKERS] Proposed patch - psql wraps at window width
Previous Message	Tom Lane	2008-04-30 21:03:58	Re: TidScan needs handling of a corner cases