"Thomas Mueller" <thomas.tom.mueller@gmail.com> writes:
>> 1. Inexpensive to implement
> Disabling literals wouldn't be much harder to implement I believe, but
> I don't know the PostgreSQL internals.
You're ignoring the client-side costs of repairing broken applications.
(If it only broke applications that were in fact insecure, that would be
one thing, but having to change code that there is nothing wrong with
is not something that people will accept easily.)
> Disabling literals is still the only way to actually protect from SQL
> injection.
If it were actually a complete defense then maybe the costs would be
justifiable; but it isn't, as per previous discussion.
regards, tom lane
