| From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
|---|---|
| To: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
| Cc: | marcin mank <marcin(dot)mank(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: PG 9.0 and standard_conforming_strings |
| Date: | 2010-02-04 02:16:44 |
| Message-ID: | 603c8f071002031816l1262ba1bne30e0fedbb4b1744@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Feb 3, 2010 at 5:57 PM, Andrew Dunstan <andrew(at)dunslane(dot)net> wrote:
> marcin mank wrote:
>> A certain prominent web framework has a nasty SQL injection bug when
>> PG is configured with SCS. This bug is not present without SCS
>> (details per email for interested PG hackers). I say, hold it off.
>
> Any web framework that interpolates user supplied values into SQL rather
> than using placeholders is broken from the get go, IMNSHO. I'm not saying
> that there aren't reasons to hold up moving to SCS, but this isn't one of
> them.
That seems more than slightly harsh. I've certainly come across
situations where interpolating values (with proper quoting of course)
made more sense than using placeholders. YMMV, of course.
...Robert
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2010-02-04 02:27:33 | Re: [CFReview] Red-Black Tree |
| Previous Message | Robert Haas | 2010-02-04 02:13:11 | Re: Add on_trusted_init and on_untrusted_init to plperl UPDATED [PATCH] |