| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Mark Mielke <mark(at)mark(dot)mielke(dot)cc> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Greg Sabino Mullane <greg(at)turnstep(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: PG 9.0 and standard_conforming_strings |
| Date: | 2010-02-03 19:41:13 |
| Message-ID: | 2068.1265226073@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Mark Mielke <mark(at)mark(dot)mielke(dot)cc> writes:
> On 02/03/2010 01:20 PM, Robert Haas wrote:
>> I am not sure I really understand why anyone is a rush to make this
>> change.
> For myself, it isn't so much a rush as a sense that the code out there
> that will break, will never change unless forced, and any time seems
> better than never.
I have not heard anyone arguing for the position that we should never do
it. The argument is about whether it's a good idea to do it *right
now*, without any advance notice or planning.
> Correct me if I am wrong - but I think this issue represents an
> exploitable SQL injection security hole.
Indeed it is, which is one of the reasons to be cautious with changing
it. We've been telling people to move away from \' for a long time,
but actually flipping the switch that will make their apps insecure
is not something to do on the spur of the moment.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2010-02-03 19:53:00 | Re: Add on_trusted_init and on_untrusted_init to plperl UPDATED [PATCH] |
| Previous Message | Joe Conway | 2010-02-03 19:39:14 | Re: use of dblink_build_sql_insert() induces a server crash |