Re: binds only for s,u,i,d?
| От | Andrew Dunstan |
|---|---|
| Тема | Re: binds only for s,u,i,d? |
| Дата | |
| Msg-id | 44ABF34C.8040809@dunslane.net обсуждение исходный текст |
| Ответ на | Re: binds only for s,u,i,d? (Greg Stark <gsstark@mit.edu>) |
| Список | pgsql-hackers |
Greg Stark wrote: >Neil Conway <neilc@samurai.com> writes: > > > >>On Mon, 2006-07-03 at 23:28 -0400, Agent M wrote: >> >> >> >>>Why can't preparation be used as a global anti-injection facility? >>> >>> >>All that work would need to be deferred to EXECUTE-time, which would largely >>defeat the purpose of server-side prepared statements, no? >> >> > >It would also defeat the anti-injection purpose. If you can use parameters to >change the semantics of the query then you're not really protected any more. >The whole security advantage of using parameters comes from knowing exactly >what a query will do with the data you provide. > > > Exactly. In particular, the suspect data should never hit the parser. You can defeat that with a function call, of course, but you have to work at it. cheers andrew
В списке pgsql-hackers по дате отправления: