Skip site navigation (1)
Skip section navigation (2)
Peripheral Links
Header And Logo
|
Site Navigation
Re: Protection from SQL injection
- From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
- To: "Thomas Mueller" <thomas(dot)tom(dot)mueller(at)gmail(dot)com>
- Cc: pgsql-sql(at)postgresql(dot)org
- Subject: Re: Protection from SQL injection
- Date: Sat, 26 Apr 2008 13:05:14 -0400
- Message-id: <12890.1209229514@sss.pgh.pa.us> <text/plain>
"Thomas Mueller" <thomas(dot)tom(dot)mueller(at)gmail(dot)com> writes: > SET ALLOW_LITERALS NONE; I think you missed April Fool's Day... This is just silly, as it makes life impossibly painful for users (constants are hardly a useless part of SQL) and it doesn't really plug any holes. As an example: select * from tab where intcol = intcol; delete from tab; contains no literals and yet the delete is very probably injected. regards, tom lane
- References:
- Protection from SQL injection
- From: Thomas Mueller
- Protection from SQL injection
- Prev by Date: Protection from SQL injection
- Next by Date: Re: Protection from SQL injection
- Previous by thread: Protection from SQL injection
- Next by thread: Fwd: Protection from SQL injection
- Indexes: