| From: | Chris Browne <cbbrowne(at)acm(dot)org> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Protection from SQL injection |
| Date: | 2008-05-05 14:28:12 |
| Message-ID: | 60y76ozuyr.fsf@dba2.int.libertyrms.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
fw(at)deneb(dot)enyo(dot)de (Florian Weimer) writes:
> * Thomas Mueller:
>
>> What do you think about it? Do you think it makes sense to implement
>> this security feature in PostgreSQL as well?
>
> Can't this be implemented in the client library, or a wrapper around it?
> A simple approximation would be to raise an error when you encounter a
> query string that isn't contained in some special configuration file.
This could be implemented in a client library, but that means that
you're still entirely as vulnerable; any client that chooses not to
use that library won't be protected.
It would be a mighty attractive thing to have something at the server
level to protect against the problem.
--
let name="cbbrowne" and tld="linuxfinances.info" in String.concat "@" [name;tld];;
http://linuxdatabases.info/info/lsf.html
If you add a couple of i's to Microsoft's stock ticker symbol, you get
'misfit'. This is, of course, not a coincidence.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Darren Reed | 2008-05-05 16:00:27 | Re: Protection from SQL injection |
| Previous Message | Tom Lane | 2008-05-05 14:13:37 | Re: Protection from SQL injection |