Re: Protection from SQL injection

From: "Thomas Mueller" <thomas(dot)tom(dot)mueller(at)gmail(dot)com>
To: pgsql-sql(at)postgresql(dot)org
Subject: Re: Protection from SQL injection
Date: 2008-04-26 18:19:40
Message-ID: 5f211bd50804261119x25c6d488hec0cde5bab189ac5@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-sql

Hi,

> > The 'ALLOW_LITERALS NONE' mode is enabled by the developer itself, or
> > by an administrator.
> then it solves nothing...
> what if the developer never SET ALLOW_LITERALS NONE

As I have said, the 'ALLOW_LITERALS NONE' mode is enabled by the
developer itself, or by an administrator. The developer may be lazy,
but the administrator can enforce this policy.

> maybe i can inject "select * from tab where intcol = intcol; set
> allow_literals all; add any query you want"

How do you inject this? How would the application looks like where
this can be injected?

Regards,
Thomas

In response to

Responses

Browse pgsql-sql by date

  From Date Subject
Next Message Jaime Casanova 2008-04-26 21:31:46 Re: Protection from SQL injection
Previous Message Thomas Mueller 2008-04-26 18:16:56 Fwd: Protection from SQL injection