Quick Links

Re: Protection from SQL injection

From:	"Scott Marlowe" <scott(dot)marlowe(at)gmail(dot)com>
To:	"Thomas Kellerer" <spam_eater(at)gmx(dot)net>
Cc:	pgsql-sql(at)postgresql(dot)org
Subject:	Re: Protection from SQL injection
Date:	2008-04-27 00:21:48
Message-ID:	dcc563d10804261721l68d7dcd1u329d796a8aa8a9b4@mail.gmail.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-sql

On Sat, Apr 26, 2008 at 3:32 PM, Thomas Kellerer <spam_eater(at)gmx(dot)net> wrote:
> Thomas Mueller wrote on 26.04.2008 18:32:
>
> > Literals can still be used when using query tools, or in applications
> considered 'safe'.
> >
> I fail to see how the backend could distinguish between a query sent by a
> query tool and a query sent by an "application".

Wouldn't it be much simpler to have a version of the libpq client lib
that only understands prepared queries?

In response to

Re: Protection from SQL injection at 2008-04-26 21:32:58 from Thomas Kellerer

Responses

Re: Protection from SQL injection at 2008-04-27 03:42:14 from Tom Lane

Browse pgsql-sql by date

	From	Date	Subject
Next Message	Tom Lane	2008-04-27 03:42:14	Re: Protection from SQL injection
Previous Message	Thomas Kellerer	2008-04-26 21:32:58	Re: Protection from SQL injection