| From: | Alex Turner <armtuk(at)gmail(dot)com> |
|---|---|
| To: | Hannes Dorbath <light(at)theendofthetunnel(dot)de> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: SQL injection |
| Date: | 2005-11-03 15:15:14 |
| Message-ID: | 33c6269f0511030715m3254daaag70c56736ce946e9d@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Please, enlighten us all and demostrate a case of SQL Injection that
gets around magic quotes. I know am I trying to think of one - and I
can't come up with one. Instead of just claiming it to be 'evil' why
don't you actualy back the statement up with some reasoned arguments?
I hate FUD.
Alex
On 11/3/05, Hannes Dorbath <light(at)theendofthetunnel(dot)de> wrote:
> On 03.11.2005 04:12, Alex Turner wrote:
> > I would have to say that for security purposes - I would want magic
> > quotes _on_ rather than off for the whole reasons of SQL Injection
> > that we already talked about.
>
> magic_quotes is evil and does if anything only prevent the simplest
> cases of SQL injections. Keep it turned off. Use
> http://php.net/pg_query_params exclusively to build secure queries..
>
>
> --
> Regards,
> Hannes Dorbath
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: don't forget to increase your free space map settings
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tony Caduto | 2005-11-03 15:28:42 | question about Postgresql and rsync |
| Previous Message | Bricklen Anderson | 2005-11-03 15:09:17 | how to emit line number in a function? |