| From: | "Greg Sabino Mullane" <greg(at)turnstep(dot)com> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Protection from SQL injection |
| Date: | 2008-05-05 20:00:43 |
| Message-ID: | 0d3cc7c47e7c81dcd9e97b646868cb4a@biglumber.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
> How often do people code comments into prepare statements in perl
> or the equivalent in java, ruby, etc?
>
> Do you put comments in your perl prepare statements?
Does it matter? It shouldn't. They are comments.
> If comments count as a statement, at the server end, then the
> multi-statement disabling also disables another attack vector -
> slightly: you can no longer attack using this as your username:
> "' OR 1=1;--"
Using placeholders and other best practices removes such attacks
completely.
I mostly agree with some other people in this thread that the
'disable multi-line switch' is marginally useful at best, and provides
a false sense of security. But let's not confuse the issue with
examples like the above. Otherwise I'll point out yet again that this
whole things a solution in search of a problem. Poorly written apps
will remain poorly written apps, no matter what server-side bandaids
we try to apply.
- --
Greg Sabino Mullane greg(at)turnstep(dot)com
PGP Key: 0x14964AC8 200805051559
http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8
-----BEGIN PGP SIGNATURE-----
iEYEAREDAAYFAkgfZzcACgkQvJuQZxSWSsjAoACg6UKhb2r94khikeOfT2cUOGhD
vh0AoIY/8dSH4tkmsLxl2Jkpbn7/u3+4
=hGCo
-----END PGP SIGNATURE-----
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Gregory Stark | 2008-05-05 20:25:22 | Re: Proposed patch - psql wraps at window width |
| Previous Message | Magnus Hagander | 2008-05-05 19:47:44 | Re: pgstat SRF? |