Robert Haas wrote:
> On Wed, Feb 3, 2010 at 5:57 PM, Andrew Dunstan <andrew(at)dunslane(dot)net> wrote:
>> marcin mank wrote:
>>> A certain prominent web framework has a nasty SQL injection bug when
>>> PG is configured with SCS. This bug is not present without SCS
>>> (details per email for interested PG hackers). I say, hold it off.
>> Any web framework that interpolates user supplied values into SQL rather
>> than using placeholders is broken from the get go, IMNSHO. I'm not saying
>> that there aren't reasons to hold up moving to SCS, but this isn't one of
> That seems more than slightly harsh. I've certainly come across
> situations where interpolating values (with proper quoting of course)
> made more sense than using placeholders. YMMV, of course.
How many injection attacks should we witness before deciding that the
best defence is to get out of the quoting/escaping game? Personally I
have reached that threshold.
Remember that this is a web *framework*, something that would ideally be
using best practice and heightened security awareness. There could be
cases where some applications with well known structures and queries
interpolate carefully sanitised values into SQL, but I very much doubt
that web app frameworks should be indulging in such practices. They
should go the extra mile, IMNSHO.
Anyway, I think this conversation is going slightly astray.
In response to
pgsql-hackers by date
|Next:||From: Robert Haas||Date: 2010-02-04 17:32:43|
|Subject: Re: Shared catalogs vs pg_global tablespace|
|Previous:||From: David E. Wheeler||Date: 2010-02-04 17:12:24|
|Subject: Re: PG 9.0 and standard_conforming_strings|