On Sat, 12 Apr 2008 12:39:38 -0400
Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Ivan Sergio Borgonovo <mail@webthatworks.it> writes:
> > I may sound naive but having a way to protect the DB from this
> > kind of injections looks as a common problem, I'd thought there
> > was already a common solution.
>
> Use prepared statements.
Yeah... but how can I effectively enforce the policy that ALL input
will be passed through prepared statements?
If I can't, and I doubt there is a system that will let me enforce
that policy at a reasonable cost, why not providing a safety net that
will at least raise the bar for the attacker at a very cheap cost?
If programmers didn't make errors or errors where cheap to find there
wouldn't be any sql injection problem.
--
Ivan Sergio Borgonovo
http://www.webthatworks.it