| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Scott Marlowe" <scott(dot)marlowe(at)gmail(dot)com> |
| Cc: | "Thomas Kellerer" <spam_eater(at)gmx(dot)net>, pgsql-sql(at)postgresql(dot)org |
| Subject: | Re: Protection from SQL injection |
| Date: | 2008-04-27 03:58:40 |
| Message-ID: | 13885.1209268720@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-sql |
"Scott Marlowe" <scott(dot)marlowe(at)gmail(dot)com> writes:
> Agreed. My point was that to do what the OP wants, wouldn't it make
> more sense to just lobotomize libpq so it doesn't understand anything
> but prepared queries.
I doubt that that particular lobotomization accomplishes much in
comparison to the penalties.
IIRC there was some discussion recently of providing a mode in which
the server would reject PQexec strings containing more than one query.
I didn't care for it much at the time, but I think it would provide
most of the benefit of these suggestions with far less compatibility
or performance hit.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Scott Marlowe | 2008-04-27 05:24:59 | Re: Protection from SQL injection |
| Previous Message | Scott Marlowe | 2008-04-27 03:50:10 | Re: Protection from SQL injection |