Skip site navigation (1) Skip section navigation (2)

Re: Protection from SQL injection

From: "Scott Marlowe" <scott(dot)marlowe(at)gmail(dot)com>
To: "Thomas Kellerer" <spam_eater(at)gmx(dot)net>
Cc: pgsql-sql(at)postgresql(dot)org
Subject: Re: Protection from SQL injection
Date: 2008-04-27 00:21:48
Message-ID: dcc563d10804261721l68d7dcd1u329d796a8aa8a9b4@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-sql
On Sat, Apr 26, 2008 at 3:32 PM, Thomas Kellerer <spam_eater(at)gmx(dot)net> wrote:
> Thomas Mueller wrote on 26.04.2008 18:32:
>
> > Literals can still be used when using query tools, or in applications
> considered 'safe'.
> >
>  I fail to see how the backend could distinguish between a query sent by a
> query tool and a query sent by an "application".

Wouldn't it be much simpler to have a version of the libpq client lib
that only understands prepared queries?

In response to

Responses

pgsql-sql by date

Next:From: Tom LaneDate: 2008-04-27 03:42:14
Subject: Re: Protection from SQL injection
Previous:From: Thomas KellererDate: 2008-04-26 21:32:58
Subject: Re: Protection from SQL injection

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group