Re: Best practices for protect applications agains Sql injection.

"pepone.onrez" <pepone.onrez@gmail.com> writes:

> Hi all
>
> I interesting in the protect my applications that use postgresql as is
> database backend from Sql Injections attacks, can any recommend me best
> pratices or references to protected postgres from this kind of malicious
> users.

I strongly urge people to adopt a policy of using prepared queries except when
absolutely necessary. If all user-provided data is passed to the database as
parameters to a prepared query then you should never need to worry about SQL
injection.

It's possible to always quote your parameters before inserting them into the
query but it's much more error-prone. It's also much harder to look at a piece
of code and be sure it's correct. If you religiously use prepared queries then
any variables interpolated directly into the query stand out like sore thumbs.

--
  Gregory Stark
  EnterpriseDB          http://www.enterprisedb.com
  Ask me about EnterpriseDB's 24x7 Postgres support!