Quick Links

Re: SQL injection

From:	Kevin Murphy <murphy(at)genome(dot)chop(dot)edu>
To:
Cc:	PostgreSQL general <pgsql-general(at)postgresql(dot)org>
Subject:	Re: SQL injection
Date:	2005-11-01 13:27:38
Message-ID:	43676D4A.9090908@genome.chop.edu
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-general

Can some knowledgeable person set the record straight on SQL injection,
please? I thought that the simple answer was to use prepared statements
with bind variables (except when you are letting the user specify whole
chunks of SQL, ugh), but there are many people posting who either don't
know about prepared statements or know something I don't.

Thanks,
Kevin Murphy

P.S. I don't use PHP, but google informs me that PHP definitely has
prepared statement options: PEAR::DB, PDO in 5.X+, etc.

In response to

Re: SQL injection at 2005-11-01 10:45:13 from Matthew D. Fuller

Responses

Re: SQL injection at 2005-11-01 13:57:04 from Tom Lane
Re: SQL injection at 2005-11-04 08:41:18 from Benjamin Smith

Browse pgsql-general by date

	From	Date	Subject
Next Message	Tom Lane	2005-11-01 13:49:26	Re: Oracle 10g Express - any danger for Postgres?
Previous Message	Jan Wieck	2005-11-01 13:16:17	Re: Oracle 10g Express - any danger for Postgres?