From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
---|---|
To: | Greg Stark <gsstark(at)mit(dot)edu> |
Cc: | Neil Conway <neilc(at)samurai(dot)com>, Agent M <agentm(at)themactionfaction(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: binds only for s,u,i,d? |
Date: | 2006-07-05 17:13:48 |
Message-ID: | 44ABF34C.8040809@dunslane.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Greg Stark wrote:
>Neil Conway <neilc(at)samurai(dot)com> writes:
>
>
>
>>On Mon, 2006-07-03 at 23:28 -0400, Agent M wrote:
>>
>>
>>
>>>Why can't preparation be used as a global anti-injection facility?
>>>
>>>
>>All that work would need to be deferred to EXECUTE-time, which would largely
>>defeat the purpose of server-side prepared statements, no?
>>
>>
>
>It would also defeat the anti-injection purpose. If you can use parameters to
>change the semantics of the query then you're not really protected any more.
>The whole security advantage of using parameters comes from knowing exactly
>what a query will do with the data you provide.
>
>
>
Exactly. In particular, the suspect data should never hit the parser.
You can defeat that with a function call, of course, but you have to
work at it.
cheers
andrew
From | Date | Subject | |
---|---|---|---|
Next Message | Phil Frost | 2006-07-05 18:51:09 | lastval exposes information that currval does not |
Previous Message | Greg Stark | 2006-07-05 16:10:35 | Re: binds only for s,u,i,d? |