Re: Protection from SQL injection
| От | Andrew Sullivan |
|---|---|
| Тема | Re: Protection from SQL injection |
| Дата | |
| Msg-id | 20080429212339.GJ4515@commandprompt.com обсуждение исходный текст |
| Ответ на | Re: Protection from SQL injection (Andrew Sullivan <ajs@commandprompt.com>) |
| Ответы |
Re: Protection from SQL injection
|
| Список | pgsql-hackers |
[I know, I know, bad form] On Tue, Apr 29, 2008 at 04:55:21PM -0400, Andrew Sullivan wrote: > thinking they have to worry about that area of security at all. I > think without a convincing argument that the proposal will even come > close to covering most SQL injection cases, it's a bad idea. To be perfectly clear, I also think that the reverse is true: if a fairly complete design was demonstrated to be possible such that it covered just about every case, I'd be all for it. (I sort of like the suggestion up-thread, myself, which is to have a GUC that disables multi-statement commands. That'd probably cover a huge number of cases, and combined with some sensible quoting rules in client libraries, would quite possibly be enough.) A -- Andrew Sullivan ajs@commandprompt.com +1 503 667 4564 x104 http://www.commandprompt.com/
В списке pgsql-hackers по дате отправления: