Re: SQL injection, php and queueing multiple statement

On Sun, Apr 13, 2008 at 10:37:52AM +0200, Ivan Sergio Borgonovo wrote:
> > Because you appear to be seeking something to protect against
> > programmers who do not follow coding guidelines, and that should
> > help even if code review processes fail to catch the problem. Were
> > that not the case you'd be able to use some of the other
> > suggestions made here. I quote:
>
> Default 1 statement, switch to more than one have to be "voluntary"
> and "conscious" and can be easily spotted with grep only.

It's not quite so simple, there are backward compatability issues.
Postgres supported multiple queries in one string since forever and
there is a huge amount of code written and still being written that
takes advantage of this. Most in contexts where SQL injection is simply
not an issue since they're static queries.

PQexec("BEGIN; CREATE TABLE ... ; CREATE TABLE ...; etc; COMMIT;");

For dynamic queries people were using prepared statements already so it
made sense to restrict it for prepared statements and leave one-shot
queries alone. You are advocating catering to a coding style that has
been discouraged for years.

If you want definitive answer I suppose you need to check the archives
at the time this decision was made, which is quite some time back.

Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> Please line up in a tree and maintain the heap invariant while
> boarding. Thank you for flying nlogn airlines.