Quick Links

Re: Protection from SQL injection

From:	"Jaime Casanova" <systemguards(at)gmail(dot)com>
To:	"Thomas Mueller" <thomas(dot)tom(dot)mueller(at)gmail(dot)com>
Cc:	pgsql-sql(at)postgresql(dot)org
Subject:	Re: Protection from SQL injection
Date:	2008-04-26 18:16:10
Message-ID:	c2d9e70e0804261116yca965eflf24586c4ca0cf852@mail.gmail.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-sql

On Sat, Apr 26, 2008 at 11:32 AM, Thomas Mueller
<thomas(dot)tom(dot)mueller(at)gmail(dot)com> wrote:
>
> The 'ALLOW_LITERALS NONE' mode is enabled by the developer itself, or
> by an administrator.

then it solves nothing...
what if the developer never SET ALLOW_LITERALS NONE or
maybe i can inject "select * from tab where intcol = intcol; set
allow_literals all; add any query you want"

--
regards,
Jaime Casanova
Soporte de PostgreSQL
Guayaquil - Ecuador
Cel. (593) 087171157

In response to

Protection from SQL injection at 2008-04-26 16:32:35 from Thomas Mueller

Responses

Re: Protection from SQL injection at 2008-04-26 18:19:40 from Thomas Mueller

Browse pgsql-sql by date

	From	Date	Subject
Next Message	Thomas Mueller	2008-04-26 18:16:56	Fwd: Protection from SQL injection
Previous Message	Tom Lane	2008-04-26 17:05:14	Re: Protection from SQL injection