Re: Protection from SQL injection

On Sat, Apr 26, 2008 at 1:19 PM, Thomas Mueller
<thomas.tom.mueller@gmail.com> wrote:
> Hi,
>
> >  > The 'ALLOW_LITERALS NONE' mode is enabled by the developer itself, or
> >  > by an administrator.
> >  then it solves nothing...
> >  what if the developer never SET ALLOW_LITERALS NONE
>
> As I have said, the 'ALLOW_LITERALS NONE' mode is enabled by the
> developer itself, or by an administrator. The developer may be lazy,
> but the administrator can enforce this policy.
>

but can't the developer allow literals again?

> >  maybe i can inject "select * from tab where intcol = intcol; set
> >  allow_literals all; add any query you want"
>
> How do you inject this? How would the application looks like where
> this can be injected?
>

ok... point taken

-- 
regards,
Jaime Casanova
Soporte de PostgreSQL
Guayaquil - Ecuador
Cel. (593) 087171157