| From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
|---|---|
| To: | Greg Stark <gsstark(at)mit(dot)edu> |
| Cc: | Neil Conway <neilc(at)samurai(dot)com>, Agent M <agentm(at)themactionfaction(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: binds only for s,u,i,d? |
| Date: | 2006-07-05 17:13:48 |
| Message-ID: | 44ABF34C.8040809@dunslane.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Greg Stark wrote:
>Neil Conway <neilc(at)samurai(dot)com> writes:
>
>
>
>>On Mon, 2006-07-03 at 23:28 -0400, Agent M wrote:
>>
>>
>>
>>>Why can't preparation be used as a global anti-injection facility?
>>>
>>>
>>All that work would need to be deferred to EXECUTE-time, which would largely
>>defeat the purpose of server-side prepared statements, no?
>>
>>
>
>It would also defeat the anti-injection purpose. If you can use parameters to
>change the semantics of the query then you're not really protected any more.
>The whole security advantage of using parameters comes from knowing exactly
>what a query will do with the data you provide.
>
>
>
Exactly. In particular, the suspect data should never hit the parser.
You can defeat that with a function call, of course, but you have to
work at it.
cheers
andrew
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Phil Frost | 2006-07-05 18:51:09 | lastval exposes information that currval does not |
| Previous Message | Greg Stark | 2006-07-05 16:10:35 | Re: binds only for s,u,i,d? |