| From: | "Jaime Casanova" <systemguards(at)gmail(dot)com> |
|---|---|
| To: | "Thomas Mueller" <thomas(dot)tom(dot)mueller(at)gmail(dot)com> |
| Cc: | pgsql-sql(at)postgresql(dot)org |
| Subject: | Re: Protection from SQL injection |
| Date: | 2008-04-26 21:31:46 |
| Message-ID: | c2d9e70e0804261431y6f25f783hf5d43121749b7aba@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-sql |
On Sat, Apr 26, 2008 at 1:19 PM, Thomas Mueller
<thomas(dot)tom(dot)mueller(at)gmail(dot)com> wrote:
> Hi,
>
> > > The 'ALLOW_LITERALS NONE' mode is enabled by the developer itself, or
> > > by an administrator.
> > then it solves nothing...
> > what if the developer never SET ALLOW_LITERALS NONE
>
> As I have said, the 'ALLOW_LITERALS NONE' mode is enabled by the
> developer itself, or by an administrator. The developer may be lazy,
> but the administrator can enforce this policy.
>
but can't the developer allow literals again?
> > maybe i can inject "select * from tab where intcol = intcol; set
> > allow_literals all; add any query you want"
>
> How do you inject this? How would the application looks like where
> this can be injected?
>
ok... point taken
--
regards,
Jaime Casanova
Soporte de PostgreSQL
Guayaquil - Ecuador
Cel. (593) 087171157
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Thomas Kellerer | 2008-04-26 21:32:58 | Re: Protection from SQL injection |
| Previous Message | Thomas Mueller | 2008-04-26 18:19:40 | Re: Protection from SQL injection |