Robert Haas wrote:
> On Wed, Feb 3, 2010 at 5:57 PM, Andrew Dunstan <andrew(at)dunslane(dot)net> wrote:
>   
>> marcin mank wrote:
>>     
>>> A certain prominent web framework has a nasty SQL injection bug when
>>> PG is configured with SCS. This bug is not present without SCS
>>> (details per email for interested PG hackers). I say, hold it off.
>>>       
>> Any web framework that interpolates user supplied values into SQL rather
>> than using placeholders is broken from the get go, IMNSHO. I'm not saying
>> that there aren't reasons to hold up moving to SCS, but this isn't one of
>> them.
>>     
>
> That seems more than slightly harsh.  I've certainly come across
> situations where interpolating values (with proper quoting of course)
> made more sense than using placeholders.  YMMV, of course.
>
>
>   

How many injection attacks should we witness before deciding that the 
best defence is to get out of the quoting/escaping game? Personally I 
have reached that threshold.

Remember that this is a web *framework*, something that would ideally be 
using best practice and heightened security awareness. There could be 
cases where some applications with well known structures and queries 
interpolate carefully sanitised values into SQL, but I very much doubt 
that web app frameworks should be indulging in such practices. They 
should go the extra mile, IMNSHO.

Anyway, I think this conversation is going slightly astray.

cheers

andrew

In response to

• Re: PG 9.0 and standard_conforming_strings at 2010-02-04 02:16:44 from Robert Haas

pgsql-hackers by date

Next:	From: Robert Haas	Date: 2010-02-04 17:32:43
	Subject: Re: Shared catalogs vs pg_global tablespace
Previous:	From: David E. Wheeler	Date: 2010-02-04 17:12:24
	Subject: Re: PG 9.0 and standard_conforming_strings