Re: PCI:SSF - Safe SQL Query & operators filter

On Tue, 2022-11-08 at 04:14 +0000, Jan Bilek wrote:

> I know it is not exactly what you suggested (and agreeing a lot with our 
> app user shouldn't be running as superuser), but as all other inputs 
> from our application come sanitized through bind and this is the only 
> way where user can send an explicit command in there - I think it should do!
> 
> Please let me know if you approve.

I strongly disapprove, and any security audit you pass with such a setup
is worthless.  I repeat: the application does not need to connect with
a superuser.

I don't understand what you want to demonstrate with the code samples, or
what you mean when you say that "the user can send an explicit command".

Yours,
Laurenz Albe