From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
---|---|
To: | Mark Mielke <mark(at)mark(dot)mielke(dot)cc> |
Cc: | Greg Sabino Mullane <greg(at)turnstep(dot)com>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: PG 9.0 and standard_conforming_strings |
Date: | 2010-02-03 19:34:36 |
Message-ID: | 603c8f071002031134k5cf1c191lf3098fe56f5cf5df@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Wed, Feb 3, 2010 at 2:25 PM, Mark Mielke <mark(at)mark(dot)mielke(dot)cc> wrote:
> On 02/03/2010 01:20 PM, Robert Haas wrote:
>> I am not sure I really understand why anyone is a rush to make this
>> change. What harm is being done by the status quo? What benefit do
>> we get out of changing the default? The major argument that has been
>> offered so far is that "if we don't change it now, we never will", but
>> I don't believe that the tenor of this discussion supports the
>> contention that Tom or anyone else never wants to make this change.
>
> For myself, it isn't so much a rush as a sense that the code out there that
> will break, will never change unless forced, and any time seems better than
> never.
>
> Correct me if I am wrong - but I think this issue represents an exploitable
> SQL injection security hole. I switched because I convinced myself that the
> ambiguity of \' represented actual danger. I'm concerned that if the web
> front end doing parameter checking and passing in code using either ''
> quoting or \' quoting can be exploited if the server happens to be
> configured the opposite way. To me, this ambiguity can only be addressed by
> everybody agreeing on the right way to do it, and '' quoting seems like the
> right way to do it to me.
OK, you're wrong. :-)
Yeah, there's a problem if the client and server are configured in
opposite ways, but flipping the default setting of
standard_conforming_strings is not going to make that problem go away.
If anything it's going to make it worse.
...Robert
From | Date | Subject | |
---|---|---|---|
Next Message | Tim Bunce | 2010-02-03 19:38:38 | Re: Add on_trusted_init and on_untrusted_init to plperl UPDATED [PATCH] |
Previous Message | Alvaro Herrera | 2010-02-03 19:33:14 | Re: PG 9.0 and standard_conforming_strings |