| From: | Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
|---|---|
| To: | mbr <yourpadre(at)gmail(dot)com> |
| Cc: | pgsql-es-ayuda(at)postgresql(dot)org |
| Subject: | Re: como ejecutar vists con parametros desde python? |
| Date: | 2006-05-29 20:51:41 |
| Message-ID: | 20060529205140.GG24193@surnet.cl |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-es-ayuda |
mbr escribió:
> Con el reciente bug que salio en postgresql recomiedan que en lugar de
> costruir la consulta y enviarla al servidor, lo mejor es crear vistas
> en el servidor y llamarlas.
Donde dice eso?
Q: What else can I do to foil SQL injection attacks?
A: There are quite a number of steps you can use to foil SQL injection attacks
in addition to these updates, which are things security-conscious application
developers should be doing anyway:
1. Employ a good database security design, in which restrictive database
permissions are assigned to public database roles.
2. Use parameterized prepared statements to execute queries (e.g. "SELECT *
FROM table WHERE id = ?") (please note that PHP does not have proper support
for this feature earlier than v5.1)
3. Use stored procedures to execute queries from web applications, instead
of sending them directly to the database.
4. Hash or encrypt valuable data in the database.
--
Alvaro Herrera http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | lein gutierrez | 2006-05-29 21:17:32 | Re: problema de compilacion de postgresql a nivel fuente |
| Previous Message | mbr | 2006-05-29 20:46:30 | como ejecutar vists con parametros desde python? |