Skip site navigation (1) Skip section navigation (2)

Re: Protection from SQL injection

From: Andreas 'ads' Scherbaum <adsmail(at)wars-nicht(dot)de>
To: pgsql-hackers(at)postgresql(dot)org
Subject: Re: Protection from SQL injection
Date: 2008-04-30 00:19:21
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-hackers
On Tue, 29 Apr 2008 22:18:48 +0200 Thomas Mueller wrote:

> For PostgreSQL the 'disable literals' feature would be great
> publicity: PostgreSQL would be the first only major database that has
> a good story regarding SQL injection. Yes it's not the magic silver
> bullet, but databases like MS SQL Server, Oracle or MySQL would look
> really bad.

I don't think so.
Given the fact that enabling this feature by default would break almost
all applications, you have to disable this by default. No use here
because almost nobody will know about it. Oh, and i can see the
headlines: "New PostgreSQL feature breaks 99% applications".

> > Forbidding literals will break absolutely every SQL-using application on the planet
> Well, it's optional. If a developer or admin wants to use it, he will
> know that it could mean some work.

The developers and admins who know about this feature and want to use
it are also the developers and admins who know about SQL injections.
Eventually the code quality produced by this ppl is higher than
average and less likely to have such basic faults.

> Even if the feature is not enabled, it's still good to have it.

Huh? How this?
Just because one can say "We have a feature against SQL injections"
which will not be used by literally anyone?

Kind regards

				Andreas 'ads' Scherbaum
German PostgreSQL User Group

In response to

pgsql-hackers by date

Next:From: Gurjeet SinghDate: 2008-04-30 00:47:03
Subject: Re: Protection from SQL injection
Previous:From: Josh BerkusDate: 2008-04-29 22:24:10
Subject: Re: Protection from SQL injection

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group