Gregory Stark <stark@enterprisedb.com> writes:
> "Andrew Sullivan" <ajs@commandprompt.com> writes:
>> The _principal_ trick with SQL injection is to fool the application
>> into somehow handing a ";" followed by an arbitrary SQL statement.
> They're the principal trick only because they're the most convenient. If you
> block them (as you can today by using PQExecParams() !!!) then people will
> switch to other things.
Sure, modifying the WHERE clause is still possible, but the attacker is
a lot more limited in what he can do if he can't tack on a whole new
command.
The important aspects of this that I see are:
1. Inexpensive to implement;
2. Unlikely to break most applications;
3. Closes off a fairly large class of injection attacks.
The cost/benefit ratio looks pretty good (unlike the idea that started
this thread...)
regards, tom lane
