Re: PG 9.0 and standard_conforming_strings

On Wed, Feb 3, 2010 at 5:57 PM, Andrew Dunstan <andrew@dunslane.net> wrote:
> marcin mank wrote:
>> A certain prominent web framework has a nasty SQL injection bug when
>> PG is configured with SCS. This bug is not present without SCS
>> (details per email for interested PG hackers). I say, hold it off.
>
> Any web framework that interpolates user supplied values into SQL rather
> than using placeholders is broken from the get go, IMNSHO. I'm not saying
> that there aren't reasons to hold up moving to SCS, but this isn't one of
> them.

That seems more than slightly harsh.  I've certainly come across
situations where interpolating values (with proper quoting of course)
made more sense than using placeholders.  YMMV, of course.

...Robert