| From: | Andreas 'ads' Scherbaum <adsmail(at)wars-nicht(dot)de> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Protection from SQL injection |
| Date: | 2008-04-30 00:19:21 |
| Message-ID: | 20080430021921.6b179b9e@iridium.wars-nicht.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, 29 Apr 2008 22:18:48 +0200 Thomas Mueller wrote:
> For PostgreSQL the 'disable literals' feature would be great
> publicity: PostgreSQL would be the first only major database that has
> a good story regarding SQL injection. Yes it's not the magic silver
> bullet, but databases like MS SQL Server, Oracle or MySQL would look
> really bad.
I don't think so.
Given the fact that enabling this feature by default would break almost
all applications, you have to disable this by default. No use here
because almost nobody will know about it. Oh, and i can see the
headlines: "New PostgreSQL feature breaks 99% applications".
> > Forbidding literals will break absolutely every SQL-using application on the planet
>
> Well, it's optional. If a developer or admin wants to use it, he will
> know that it could mean some work.
The developers and admins who know about this feature and want to use
it are also the developers and admins who know about SQL injections.
Eventually the code quality produced by this ppl is higher than
average and less likely to have such basic faults.
> Even if the feature is not enabled, it's still good to have it.
Huh? How this?
Just because one can say "We have a feature against SQL injections"
which will not be used by literally anyone?
Kind regards
--
Andreas 'ads' Scherbaum
German PostgreSQL User Group
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Gurjeet Singh | 2008-04-30 00:47:03 | Re: Protection from SQL injection |
| Previous Message | Josh Berkus | 2008-04-29 22:24:10 | Re: Protection from SQL injection |