Home > mailing lists

Re: SQL injection, php and queueing multiple statement - Mailing list pgsql-general

From	Ivan Sergio Borgonovo
Subject	Re: SQL injection, php and queueing multiple statement
Date	April 12, 2008 18:17:39
Msg-id	20080412201731.1e751826@webthatworks.it Whole thread Raw
In response to	Re: SQL injection, php and queueing multiple statement (Tom Lane <tgl@sss.pgh.pa.us>)
Responses	Re: SQL injection, php and queueing multiple statement (paul rivers <rivers.paul@gmail.com>) Re: SQL injection, php and queueing multiple statement (Tom Lane <tgl@sss.pgh.pa.us>)
List	pgsql-general

Tree view

On Sat, 12 Apr 2008 12:39:38 -0400
Tom Lane <tgl@sss.pgh.pa.us> wrote:

> Ivan Sergio Borgonovo <mail@webthatworks.it> writes:
> > I may sound naive but having a way to protect the DB from this
> > kind of injections looks as a common problem, I'd thought there
> > was already a common solution.
>
> Use prepared statements.

Yeah... but how can I effectively enforce the policy that ALL input
will be passed through prepared statements?

If I can't, and I doubt there is a system that will let me enforce
that policy at a reasonable cost, why not providing a safety net that
will at least raise the bar for the attacker at a very cheap cost?

If programmers didn't make errors or errors where cheap to find there
wouldn't be any sql injection problem.

--
Ivan Sergio Borgonovo
http://www.webthatworks.it

pgsql-general by date:

From: "Pavan Deolasee"
Date: 12 April 2008, 18:13:10
Subject: Re: Postgres on shared network drive

From: "Dawid Kuroczko"
Date: 12 April 2008, 18:44:36
Subject: Re: Postgres on shared network drive

Re: SQL injection, php and queueing multiple statement - Mailing list pgsql-general

Previous

Next