| From: | Geoff Caplan <geoff(at)variosoft(dot)com> |
|---|---|
| To: | "Magnus Hagander" <mha(at)sollentuna(dot)net> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Sql injection attacks |
| Date: | 2004-07-26 09:34:22 |
| Message-ID: | 76347264740.20040726103422@variosoft.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Magnus,
Your posting arrived just after I posted my attempt at a summary...
With the help of the list, I had already got to the stage that
parameterised queries are the way to go. Your post helps confirm
that.
Now I need to understand the implementation details. Clearly, one
option is the PREPARE/EXECUTE statements. But I am not sure I follow
you when you say:
MH> If you use the parametrised formats, e.g.
MH> "SELECT * FROM foo WHERE bar=(at)bar"
MH> or just "sp_foo" in the case of the stored procedure (the driver will
MH> pick up parameter names automatically)
Are you saying that "@bar" is part of the Postgres query syntax? If it
is, I can't find it in the 7.4 docs. What do you mean by "the
parameterised formats"? I would appreciate a clarification and the URL
of the relevant documentation.
Thanks
------------------
Geoff Caplan
Vario Software Ltd
(+44) 121-515 1154
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2004-07-26 10:03:19 | Re: Sql injection attacks |
| Previous Message | Geoff Caplan | 2004-07-26 08:58:11 | Re: Sql injection attacks |