Quick Links

Re: binds only for s,u,i,d?

From:	Greg Stark <gsstark(at)mit(dot)edu>
To:	Neil Conway <neilc(at)samurai(dot)com>
Cc:	Agent M <agentm(at)themactionfaction(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject:	Re: binds only for s,u,i,d?
Date:	2006-07-05 16:10:35
Message-ID:	87irmcoww4.fsf@stark.xeocode.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

Neil Conway <neilc(at)samurai(dot)com> writes:

> On Mon, 2006-07-03 at 23:28 -0400, Agent M wrote:
>
> > Why can't preparation be used as a global anti-injection facility?
>
> All that work would need to be deferred to EXECUTE-time, which would largely
> defeat the purpose of server-side prepared statements, no?

It would also defeat the anti-injection purpose. If you can use parameters to
change the semantics of the query then you're not really protected any more.
The whole security advantage of using parameters comes from knowing exactly
what a query will do with the data you provide.

--
greg

In response to

Re: binds only for s,u,i,d? at 2006-07-05 07:20:28 from Neil Conway

Responses

Re: binds only for s,u,i,d? at 2006-07-05 17:13:48 from Andrew Dunstan

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Andrew Dunstan	2006-07-05 17:13:48	Re: binds only for s,u,i,d?
Previous Message	Greg Stark	2006-07-05 16:00:05	Scan Keys