| From: | Ivan Sergio Borgonovo <mail(at)webthatworks(dot)it> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: SQL injection, php and queueing multiple statement |
| Date: | 2008-04-12 18:17:31 |
| Message-ID: | 20080412201731.1e751826@webthatworks.it |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Sat, 12 Apr 2008 12:39:38 -0400
Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Ivan Sergio Borgonovo <mail(at)webthatworks(dot)it> writes:
> > I may sound naive but having a way to protect the DB from this
> > kind of injections looks as a common problem, I'd thought there
> > was already a common solution.
>
> Use prepared statements.
Yeah... but how can I effectively enforce the policy that ALL input
will be passed through prepared statements?
If I can't, and I doubt there is a system that will let me enforce
that policy at a reasonable cost, why not providing a safety net that
will at least raise the bar for the attacker at a very cheap cost?
If programmers didn't make errors or errors where cheap to find there
wouldn't be any sql injection problem.
--
Ivan Sergio Borgonovo
http://www.webthatworks.it
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dawid Kuroczko | 2008-04-12 18:34:14 | Re: Postgres on shared network drive |
| Previous Message | Pavan Deolasee | 2008-04-12 18:11:42 | Re: Postgres on shared network drive |