Skip site navigation (1)
Skip section navigation (2)
Peripheral Links
Header And Logo
|
Site Navigation
Re: Protection from SQL injection
- From: Josh Berkus <josh(at)agliodbs(dot)com>
- To: pgsql-hackers(at)postgresql(dot)org
- Subject: Re: Protection from SQL injection
- Date: Tue, 29 Apr 2008 11:39:09 -0700
- Message-id: <200804291139(dot)09593(dot)josh(at)agliodbs(dot)com>
> If you're going to ask people to do significant revision of their > apps to gain security, they're going to want it to work no matter > what database they run their apps against. This is why you need > a client-side solution such as tainting. Or if people are going to re-write their applications anyway, we'd want at least a theoretically robust and flexible approach like libdejector, which lets you identify which parts of a query structure are modifiable and which are not. For example, some applications need to replace whole phrases: $criteria = "WHERE $var1 = '$var2'" This is a very common approach for dynamic search screens, and really not covered by placeholder approaches. -- --Josh Josh Berkus PostgreSQL @ Sun San Francisco
- Follow-Ups:
- Re: Protection from SQL injection
- From: PFC
- Re: Protection from SQL injection
- References:
- Protection from SQL injection
- From: Thomas Mueller
- Re: Protection from SQL injection
- From: Tom Dunstan
- Re: Protection from SQL injection
- From: Tom Lane
- Protection from SQL injection
- Prev by Date: Re: Protection from SQL injection
- Next by Date: Re: Protection from SQL injection
- Previous by thread: Re: Protection from SQL injection
- Next by thread: Re: Protection from SQL injection
- Indexes: