Re: Protection from SQL injection
| От | Josh Berkus |
|---|---|
| Тема | Re: Protection from SQL injection |
| Дата | |
| Msg-id | 200804291139.09593.josh@agliodbs.com обсуждение исходный текст |
| Ответ на | Re: Protection from SQL injection (Tom Lane <tgl@sss.pgh.pa.us>) |
| Ответы |
Re: Protection from SQL injection
|
| Список | pgsql-hackers |
> If you're going to ask people to do significant revision of their > apps to gain security, they're going to want it to work no matter > what database they run their apps against. This is why you need > a client-side solution such as tainting. Or if people are going to re-write their applications anyway, we'd want at least a theoretically robust and flexible approach like libdejector, which lets you identify which parts of a query structure are modifiable and which are not. For example, some applications need to replace whole phrases: $criteria = "WHERE $var1 = '$var2'" This is a very common approach for dynamic search screens, and really not covered by placeholder approaches. -- --Josh Josh Berkus PostgreSQL @ Sun San Francisco
В списке pgsql-hackers по дате отправления: