| From: | "Magnus Hagander" <mha(at)sollentuna(dot)net> |
|---|---|
| To: | "Josh Berkus" <josh(at)agliodbs(dot)com> |
| Cc: | <pgsql-www(at)postgresql(dot)org> |
| Subject: | Re: Your FAQ page :-) |
| Date: | 2006-05-23 17:33:15 |
| Message-ID: | 6BCB9D8A16AC4241919521715F4D8BCEA0F9AE@algol.sollentuna.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-www |
> > Applications which use parameterized prepared statement syntax
> > exclusively (e.g. "SELECT * FROM table WHERE id = ?", $var1).
> >
> >
> > Umm. AFAIK that's only true if the client library actually uses
> > paremetrised queries over the wire, which I'm quite sure
> all don't. I
> > beleive PHP doesn't, at leas tnot until the very latest
> version, for
> > example.
>
> Hmmm. Can you think of a way to re-word that without doing
> an entire paragraph?
The wording I have for the bugtraq post (out in a couple of minutes) is:
* If application always sends untrusted strings as out-of-line
parameters,
instead of embedding them into SQL commands, it is not vulnerable.
This is
only available in PostgreSQL 7.4 or later.
Based on Toms suggestion.
Though that may be a bit too technical? ;)
//Magnus
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Josh Berkus | 2006-05-23 17:41:45 | Re: Your FAQ page :-) |
| Previous Message | Josh Berkus | 2006-05-23 17:31:02 | Re: Your FAQ page :-) |