Quick Links

Re: Protection from SQL injection

From:	Andrew Sullivan <ajs(at)commandprompt(dot)com>
To:	pgsql-hackers(at)postgresql(dot)org
Subject:	Re: Protection from SQL injection
Date:	2008-04-29 20:55:21
Message-ID:	20080429205520.GF4515@commandprompt.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

On Tue, Apr 29, 2008 at 04:33:01PM -0400, Andrew Dunstan wrote:

> Moreover, it seems unlikely that it will even cover the field. A partial
> cloak might indeed be worse than none, in that it will give some developers
> an illusion of having security.

I think this is a really important point, and one that isn't getting
enough attention in this discussion. Half a security measure is
almost always worse than none at all, exactly because people stop
thinking they have to worry about that area of security at all. I
think without a convincing argument that the proposal will even come
close to covering most SQL injection cases, it's a bad idea.

--
Andrew Sullivan
ajs(at)commandprompt(dot)com
+1 503 667 4564 x104
http://www.commandprompt.com/

In response to

Re: Protection from SQL injection at 2008-04-29 20:33:01 from Andrew Dunstan

Responses

Re: Protection from SQL injection at 2008-04-29 21:23:39 from Andrew Sullivan

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Josh Berkus	2008-04-29 21:10:20	Re: Protection from SQL injection
Previous Message	Steve Crawford	2008-04-29 20:34:19	psql \pset pager