From: | Andrew Sullivan <ajs(at)commandprompt(dot)com> |
---|---|
To: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Protection from SQL injection |
Date: | 2008-04-29 21:23:39 |
Message-ID: | 20080429212339.GJ4515@commandprompt.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
[I know, I know, bad form]
On Tue, Apr 29, 2008 at 04:55:21PM -0400, Andrew Sullivan wrote:
> thinking they have to worry about that area of security at all. I
> think without a convincing argument that the proposal will even come
> close to covering most SQL injection cases, it's a bad idea.
To be perfectly clear, I also think that the reverse is true: if a
fairly complete design was demonstrated to be possible such that it
covered just about every case, I'd be all for it. (I sort of like the
suggestion up-thread, myself, which is to have a GUC that disables
multi-statement commands. That'd probably cover a huge number of
cases, and combined with some sensible quoting rules in client
libraries, would quite possibly be enough.)
A
--
Andrew Sullivan
ajs(at)commandprompt(dot)com
+1 503 667 4564 x104
http://www.commandprompt.com/
From | Date | Subject | |
---|---|---|---|
Next Message | Josh Berkus | 2008-04-29 22:24:10 | Re: Protection from SQL injection |
Previous Message | Josh Berkus | 2008-04-29 21:10:20 | Re: Protection from SQL injection |