| From: | Kenneth Downs <ken(at)secdat(dot)com> |
|---|---|
| To: | Kevin Hunter <hunteke(at)earlham(dot)edu> |
| Cc: | Ron Johnson <ron(dot)l(dot)johnson(at)cox(dot)net>, PostgreSQL General List <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: HIPPA (was Re: Anyone know ...) |
| Date: | 2007-03-09 18:53:15 |
| Message-ID: | 45F1AD1B.7000602@secdat.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Kevin Hunter wrote:
>>> What about an SQL injection bug that allows for increased privileges?
>>
>> Um, web programming 101 is that you escape quotes on user-supplied
>> inputs. That ends SQL injection.
>
> Pardon my naivete (I'm fairly new to web/DB programming) . . . is this
> the current standard method of protection from SQL injection? How
> does it compare to SQL preparation with bound variables?
When you use SQL Prepared statements it is normal for the db driver to
escape out the variables for you. Well at least it is in PHP, I can't
say for other systems.
>
> Kevin
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Scott Marlowe | 2007-03-09 18:57:32 | Re: "oracle to postgresql" conversion |
| Previous Message | Richard Broersma Jr | 2007-03-09 18:46:20 | Re: Sw to generate ER model |