| From: | "Thomas Mueller" <thomas(dot)tom(dot)mueller(at)gmail(dot)com> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Protection from SQL injection |
| Date: | 2008-04-30 12:42:51 |
| Message-ID: | 5f211bd50804300542h50ece8b7r1f6ffd76daef8569@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi,
> How many people are using literals in Java?
Not sure if I understood the question... In Java most people use
constants (final static). 'Checkstyle' can find 'magic numbers' in the
source code.
If the constants feature was very important in SQL, people would have
requested it, and it would be in the SQL standard by now. There is a
workaround: user defined functions.
> Disabling multi-statement commands
Disabling multi-statement commands just limits the effect of SQL
injection. Disabling literals actually protects from SQL injection.
Both features are important.
> ( almost ? ) the same result by doing all access using functions
This also doesn't protect from SQL injection, it only limits the effect.
> Half a security measure is almost always worse than none at all
Cars and houses have locks. Locks can't fully protect you. Do they
give the illusion security? Maybe. But it's definitely better to have
them.
> headlines: "New PostgreSQL feature breaks 99% applications"
Not if it's disabled by default. What about "New PostgreSQL feature
offers 95% protection from SQL injection"?
> The developers and admins who know about this feature and want to use it...
> quality produced by this ppl is higher than average and less likely to have such basic faults.
Maybe. I found some problems in my code when enabling this feature,
and I thought I was save (or paranoid :-).
Regards,
Thomas
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Gurjeet Singh | 2008-04-30 13:00:32 | pg_standby issue |
| Previous Message | PFC | 2008-04-30 10:55:06 | Re: Protection from SQL injection |