| From: | Tom Allison <tallison(at)tacocat(dot)net> |
|---|---|
| To: | Geoff Caplan <geoff(at)variosoft(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Sql injection attacks |
| Date: | 2004-07-27 05:58:54 |
| Message-ID: | 4105EF1E.2020901@tacocat.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Geoff Caplan wrote:
> Hi folks
>
> Seems we have two schools of thought:
>
> 1) The validation/escaping approach, supported by Bill and Jim
>
> 2) The "don't mix data with code" approach supported by Peter and
> Greg.
>
> As I learn more about the issues, I am increasingly veering towards
> the second approach.
>
Now I always assumed that the correct approach was always going to be
D) ALL of the above.
Furthermore, if you are really concerned about passing information
through the URL, consider relating data in your database to sessions,
cookies, and file caches to aliase all those fields you pass back and
forth to a session ID or similar. The example of "...index.html?id=34"
is sufficient for much of this though I doubt 'zine articles merit
greater security than this.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Pierre-Frédéric Caillaud | 2004-07-27 06:37:23 | Re: Sql injection attacks |
| Previous Message | Tom Allison | 2004-07-27 05:51:27 | Re: Sql injection attacks |