Home > mailing lists

Re: When to encrypt - Mailing list pgsql-general

From	dom@happygiraffe.net (Dominic Mitchell)
Subject	Re: When to encrypt
Date	December 6, 2004 12:58:20
Msg-id	20041206095805.GA50010@ppe.happygiraffe.net Whole thread Raw
In response to	Re: When to encrypt (Greg Stark <gsstark@mit.edu>)
List	pgsql-general

Tree view

On Sun, Dec 05, 2004 at 11:31:34PM -0500, Greg Stark wrote:
> Derek Fountain <dflists@iinet.net.au> writes:
> > If another SQL Injection vulnerability turns up (which it might, given the
> > state of the website code),
>
> You will never see another SQL injection vulnerability if you simply switch to
> always using prepared queries and placeholders. Make it a rule that you
> _never_ interpolate variables into the query string. period. No manual quoting
> to get right, no subtle security audit necessary: If the SQL query isn't a
> constant string you reject it.

Another good piece of defense is mod_security (assuming that your web
server is Apache).  You can teach it about SQL injection attacks with a
little work.

    http://www.modsecurity.org

-Dom

pgsql-general by date:

From: peter pilsl
Date: 06 December 2004, 12:06:35
Subject: select single entry and its neighbours using direct-acess to index?

From: Pierre-Frédéric Caillaud
Date: 06 December 2004, 13:09:19
Subject: Re: select single entry and its neighbours using direct-acess to index?

Re: When to encrypt - Mailing list pgsql-general

Previous

Next