Willing to fix a PQexec() in libpq module
| От | Wu, Fei |
|---|---|
| Тема | Willing to fix a PQexec() in libpq module |
| Дата | |
| Msg-id | 52E6E0843B9D774C8C73D6CF64402F05621F0FFC@G08CNEXMBPEKD02.g08.fujitsu.local обсуждение исходный текст |
| Ответы |
Re: Willing to fix a PQexec() in libpq module
|
| Список | pgsql-hackers |
Hi,all
On website: https://wiki.postgresql.org/wiki/Todo#libpq
I found that in libpq module,there is a TODO case:
-------------------------------------------------------------------------------
Consider disallowing multiple queries in PQexec() as an additional barrier to SQL injection attacks
-------------------------------------------------------------------------------
I am interested in this one. So ,Had it be fixed?
If not, I am willing to do so.
In manual, I found that:
-----------------------------------------------------------------------------
Unlike PQexec, PQexecParams allows at most one SQL command in the given string. (There can be
semicolons in it, but not more than one nonempty command.) This is a limitation of the underlying
protocol, but has some usefulness as an extra defense against SQL-injection attacks.
-------------------------------------------------------------------------------
Maybe we can fix PQexec() just likes PQexecParams()?
I will try to fix it~
--
Best Regards
-----------------------------------------------------
Wu Fei
DX3
Software Division III
Nanjing Fujitsu Nanda Software Tech. Co., Ltd.(FNST)
ADDR.: No.6 Wenzhu Road, Software Avenue,
Nanjing, 210012, China
TEL : +86+25-86630566-9356
COINS: 7998-9356
FAX: +86+25-83317685
MAIL:wufei.fnst@cn.fujitsu.com
http://www.fujitsu.com/cn/fnst/
---------------------------------------------------
В списке pgsql-hackers по дате отправления: