Skip site navigation (1)
Skip section navigation (2)
Peripheral Links
Header And Logo
|
Site Navigation
Re: Protection from SQL injection
- From: Andrew Dunstan <andrew(at)dunslane(dot)net>
- To: Thomas Mueller <thomas(dot)tom(dot)mueller(at)gmail(dot)com>
- Cc: pgsql-hackers(at)postgresql(dot)org
- Subject: Re: Protection from SQL injection
- Date: Tue, 29 Apr 2008 16:33:01 -0400
- Message-id: <481785FD(dot)1020903(at)dunslane(dot)net>
Thomas Mueller wrote:
Forbidding literals will break absolutely every SQL-using application on the planetWell, it's optional. If a developer or admin wants to use it, he will know that it could mean some work. Even if the feature is not enabled, it's still good to have it. And using constants will help document the application.
What is not optional is the probably maintenance complexity of this scheme.Moreover, it seems unlikely that it will even cover the field. A partial cloak might indeed be worse than none, in that it will give some developers an illusion of having security.
Before we embarked on such an enterprise, I would personally want to see fairly loud clamor from our user base for it.
cheers andrew
- Follow-Ups:
- Re: Protection from SQL injection
- From: Andrew Sullivan
- Re: Protection from SQL injection
- References:
- Protection from SQL injection
- From: Thomas Mueller
- Re: Protection from SQL injection
- From: Tom Dunstan
- Re: Protection from SQL injection
- From: Tom Lane
- Re: Protection from SQL injection
- From: Aidan Van Dyk
- Re: Protection from SQL injection
- From: Gregory Stark
- Re: Protection from SQL injection
- From: Aidan Van Dyk
- Re: Protection from SQL injection
- From: Thomas Mueller
- Protection from SQL injection
- Prev by Date: Re: Protection from SQL injection
- Next by Date: Re: Protection from SQL injection
- Previous by thread: Re: Protection from SQL injection
- Next by thread: Re: Protection from SQL injection
- Indexes: