Skip site navigation (1)
Skip section navigation (2)
Peripheral Links
Header And Logo
|
Site Navigation
Re: Protection from SQL injection
- From: PFC <lists(at)peufeu(dot)com>
- To: "Hannu Krosing" <hannu(at)krosing(dot)net>, "Aidan Van Dyk" <aidan(at)highrise(dot)ca>
- Cc: "Gregory Stark" <stark(at)enterprisedb(dot)com>, "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "Tom Dunstan" <pgsql(at)tomd(dot)cc>, "Thomas Mueller" <thomas(dot)tom(dot)mueller(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
- Subject: Re: Protection from SQL injection
- Date: Wed, 30 Apr 2008 12:55:06 +0200
- Message-id: <op(dot)uae694f6cigqcu(at)apollo13(dot)peufeu(dot)com>
Could we also get a mode, where PREPARE would only be allowed for queries of the form "SELECT * FROM func(?,?,?,?,?); :)
Actually, that is similar to the concept of "global prepared statements" that I proposed some time ago, but I will not have time to write the patch, alas... Idea was that the DBA can create a list of SQL statements (with privileges about who can execute them, just like functions) which are prepared on-demand at the first EXECUTE by the client. This would enhance performance (but for performance I like the idea of caching plans better). It would be pretty cumbersome, though, to execute dynamic SQL like the typical search query...
- References:
- Protection from SQL injection
- From: Thomas Mueller
- Re: Protection from SQL injection
- From: Tom Dunstan
- Re: Protection from SQL injection
- From: Tom Lane
- Re: Protection from SQL injection
- From: Aidan Van Dyk
- Re: Protection from SQL injection
- From: Gregory Stark
- Re: Protection from SQL injection
- From: Aidan Van Dyk
- Re: Protection from SQL injection
- From: Hannu Krosing
- Protection from SQL injection
- Prev by Date: Re: Protection from SQL injection
- Next by Date: Re: Protection from SQL injection
- Previous by thread: Re: Protection from SQL injection
- Next by thread: Re: Protection from SQL injection
- Indexes: