| From: | Mark Mielke <mark(at)mark(dot)mielke(dot)cc> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Greg Sabino Mullane <greg(at)turnstep(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: PG 9.0 and standard_conforming_strings |
| Date: | 2010-02-03 19:25:45 |
| Message-ID: | 4B69CDB9.2050801@mark.mielke.cc |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 02/03/2010 01:20 PM, Robert Haas wrote:
> I am not sure I really understand why anyone is a rush to make this
> change. What harm is being done by the status quo? What benefit do
> we get out of changing the default? The major argument that has been
> offered so far is that "if we don't change it now, we never will", but
> I don't believe that the tenor of this discussion supports the
> contention that Tom or anyone else never wants to make this change.
>
For myself, it isn't so much a rush as a sense that the code out there
that will break, will never change unless forced, and any time seems
better than never.
Correct me if I am wrong - but I think this issue represents an
exploitable SQL injection security hole. I switched because I convinced
myself that the ambiguity of \' represented actual danger. I'm concerned
that if the web front end doing parameter checking and passing in code
using either '' quoting or \' quoting can be exploited if the server
happens to be configured the opposite way. To me, this ambiguity can
only be addressed by everybody agreeing on the right way to do it, and
'' quoting seems like the right way to do it to me.
Cheers,
mark
--
Mark Mielke<mark(at)mielke(dot)cc>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2010-02-03 19:29:14 | Re: Add on_trusted_init and on_untrusted_init to plperl UPDATED [PATCH] |
| Previous Message | Alex Hunsaker | 2010-02-03 19:22:03 | Re: Add on_trusted_init and on_untrusted_init to plperl UPDATED [PATCH] |