| From: | dom(at)happygiraffe(dot)net (Dominic Mitchell) |
|---|---|
| To: | Greg Stark <gsstark(at)mit(dot)edu> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: When to encrypt |
| Date: | 2004-12-06 09:58:05 |
| Message-ID: | 20041206095805.GA50010@ppe.happygiraffe.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Sun, Dec 05, 2004 at 11:31:34PM -0500, Greg Stark wrote:
> Derek Fountain <dflists(at)iinet(dot)net(dot)au> writes:
> > If another SQL Injection vulnerability turns up (which it might, given the
> > state of the website code),
>
> You will never see another SQL injection vulnerability if you simply switch to
> always using prepared queries and placeholders. Make it a rule that you
> _never_ interpolate variables into the query string. period. No manual quoting
> to get right, no subtle security audit necessary: If the SQL query isn't a
> constant string you reject it.
Another good piece of defense is mod_security (assuming that your web
server is Apache). You can teach it about SQL injection attacks with a
little work.
-Dom
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Pierre-Frédéric Caillaud | 2004-12-06 10:12:17 | Re: select single entry and its neighbours using direct-acess to index? |
| Previous Message | Postgres Learner | 2004-12-06 09:28:46 | 8.0 vs. 7.4 benchmarks |