Re: Protection from SQL injection

From: "Thomas Mueller" <thomas(dot)tom(dot)mueller(at)gmail(dot)com>
To: pgsql-hackers(at)postgresql(dot)org
Subject: Re: Protection from SQL injection
Date: 2008-04-30 12:42:51
Message-ID: 5f211bd50804300542h50ece8b7r1f6ffd76daef8569@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Hi,

> How many people are using literals in Java?

Not sure if I understood the question... In Java most people use
constants (final static). 'Checkstyle' can find 'magic numbers' in the
source code.

If the constants feature was very important in SQL, people would have
requested it, and it would be in the SQL standard by now. There is a
workaround: user defined functions.

> Disabling multi-statement commands

Disabling multi-statement commands just limits the effect of SQL
injection. Disabling literals actually protects from SQL injection.
Both features are important.

> ( almost ? ) the same result by doing all access using functions

This also doesn't protect from SQL injection, it only limits the effect.

> Half a security measure is almost always worse than none at all

Cars and houses have locks. Locks can't fully protect you. Do they
give the illusion security? Maybe. But it's definitely better to have
them.

> headlines: "New PostgreSQL feature breaks 99% applications"

Not if it's disabled by default. What about "New PostgreSQL feature
offers 95% protection from SQL injection"?

> The developers and admins who know about this feature and want to use it...
> quality produced by this ppl is higher than average and less likely to have such basic faults.

Maybe. I found some problems in my code when enabling this feature,
and I thought I was save (or paranoid :-).

Regards,
Thomas

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Gurjeet Singh 2008-04-30 13:00:32 pg_standby issue
Previous Message PFC 2008-04-30 10:55:06 Re: Protection from SQL injection