Home > mailing lists

Re: Protection from SQL injection - Mailing list pgsql-sql

From	Tom Lane
Subject	Re: Protection from SQL injection
Date	April 26, 2008 17:05:19
Msg-id	12890.1209229514@sss.pgh.pa.us Whole thread Raw
In response to	Protection from SQL injection ("Thomas Mueller" <thomas.tom.mueller@gmail.com>)
List	pgsql-sql

Tree view

"Thomas Mueller" <thomas.tom.mueller@gmail.com> writes:
> SET ALLOW_LITERALS NONE;

I think you missed April Fool's Day...

This is just silly, as it makes life impossibly painful for users
(constants are hardly a useless part of SQL) and it doesn't really
plug any holes.  As an example:
select * from tab where intcol = intcol; delete from tab;

contains no literals and yet the delete is very probably injected.
        regards, tom lane

pgsql-sql by date:

From: "Thomas Mueller"
Date: 26 April 2008, 16:32:41
Subject: Protection from SQL injection

From: "Jaime Casanova"
Date: 26 April 2008, 18:16:15
Subject: Re: Protection from SQL injection

Re: Protection from SQL injection - Mailing list pgsql-sql

Previous

Next