Skip site navigation (1)
Skip section navigation (2)
Peripheral Links
Header And Logo
|
Site Navigation
Re: Protection from SQL injection
- From: "Jaime Casanova" <systemguards(at)gmail(dot)com>
- To: "Thomas Mueller" <thomas(dot)tom(dot)mueller(at)gmail(dot)com>
- Cc: pgsql-sql(at)postgresql(dot)org
- Subject: Re: Protection from SQL injection
- Date: Sat, 26 Apr 2008 16:31:46 -0500
- Message-id: <c2d9e70e0804261431y6f25f783hf5d43121749b7aba(at)mail(dot)gmail(dot)com>
On Sat, Apr 26, 2008 at 1:19 PM, Thomas Mueller <thomas(dot)tom(dot)mueller(at)gmail(dot)com> wrote: > Hi, > > > > The 'ALLOW_LITERALS NONE' mode is enabled by the developer itself, or > > > by an administrator. > > then it solves nothing... > > what if the developer never SET ALLOW_LITERALS NONE > > As I have said, the 'ALLOW_LITERALS NONE' mode is enabled by the > developer itself, or by an administrator. The developer may be lazy, > but the administrator can enforce this policy. > but can't the developer allow literals again? > > maybe i can inject "select * from tab where intcol = intcol; set > > allow_literals all; add any query you want" > > How do you inject this? How would the application looks like where > this can be injected? > ok... point taken -- regards, Jaime Casanova Soporte de PostgreSQL Guayaquil - Ecuador Cel. (593) 087171157
- Follow-Ups:
- Re: Protection from SQL injection
- From: Thomas Mueller
- Re: Protection from SQL injection
- References:
- Protection from SQL injection
- From: Thomas Mueller
- Re: Protection from SQL injection
- From: Jaime Casanova
- Re: Protection from SQL injection
- From: Thomas Mueller
- Protection from SQL injection
- Prev by Date: Re: Protection from SQL injection
- Next by Date: Re: Protection from SQL injection
- Previous by thread: Re: Protection from SQL injection
- Next by thread: Re: Protection from SQL injection
- Indexes: