Skip site navigation (1)
Skip section navigation (2)
Peripheral Links
Header And Logo
|
Site Navigation
Re: Protection from SQL injection
- From: "Thomas Mueller" <thomas(dot)tom(dot)mueller(at)gmail(dot)com>
- To: pgsql-sql(at)postgresql(dot)org
- Subject: Re: Protection from SQL injection
- Date: Sat, 26 Apr 2008 20:19:40 +0200
- Message-id: <5f211bd50804261119x25c6d488hec0cde5bab189ac5@mail.gmail.com> <text/plain>
Hi, > > The 'ALLOW_LITERALS NONE' mode is enabled by the developer itself, or > > by an administrator. > then it solves nothing... > what if the developer never SET ALLOW_LITERALS NONE As I have said, the 'ALLOW_LITERALS NONE' mode is enabled by the developer itself, or by an administrator. The developer may be lazy, but the administrator can enforce this policy. > maybe i can inject "select * from tab where intcol = intcol; set > allow_literals all; add any query you want" How do you inject this? How would the application looks like where this can be injected? Regards, Thomas
- Follow-Ups:
- Re: Protection from SQL injection
- From: Jaime Casanova
- Re: Protection from SQL injection
- References:
- Protection from SQL injection
- From: Thomas Mueller
- Re: Protection from SQL injection
- From: Jaime Casanova
- Protection from SQL injection
- Prev by Date: Fwd: Protection from SQL injection
- Next by Date: Re: Protection from SQL injection
- Previous by thread: Re: Protection from SQL injection
- Next by thread: Re: Protection from SQL injection
- Indexes: