Quick Links

Re: PG 9.0 and standard_conforming_strings

From:	Andrew Dunstan <andrew(at)dunslane(dot)net>
To:	marcin mank <marcin(dot)mank(at)gmail(dot)com>
Cc:	PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject:	Re: PG 9.0 and standard_conforming_strings
Date:	2010-02-03 22:57:01
Message-ID:	4B69FF3D.9010107@dunslane.net
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

marcin mank wrote:
> A certain prominent web framework has a nasty SQL injection bug when
> PG is configured with SCS. This bug is not present without SCS
> (details per email for interested PG hackers). I say, hold it off.
>
>
>

Any web framework that interpolates user supplied values into SQL rather
than using placeholders is broken from the get go, IMNSHO. I'm not
saying that there aren't reasons to hold up moving to SCS, but this
isn't one of them.

cheers

andrew

In response to

Re: PG 9.0 and standard_conforming_strings at 2010-02-03 22:39:35 from marcin mank

Responses

Re: PG 9.0 and standard_conforming_strings at 2010-02-04 02:16:44 from Robert Haas

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Marko Tiikkaja	2010-02-03 23:03:59	Re: Review of Writeable CTE Patch
Previous Message	marcin mank	2010-02-03 22:39:35	Re: PG 9.0 and standard_conforming_strings