Home > mailing lists

Re: Protection from SQL injection - Mailing list pgsql-hackers

From	Andrew Sullivan
Subject	Re: Protection from SQL injection
Date	April 29, 2008 20:55:38
Msg-id	20080429205520.GF4515@commandprompt.com Whole thread Raw
In response to	Re: Protection from SQL injection (Andrew Dunstan <andrew@dunslane.net>)
Responses	Re: Protection from SQL injection (Andrew Sullivan <ajs@commandprompt.com>)
List	pgsql-hackers

Tree view

On Tue, Apr 29, 2008 at 04:33:01PM -0400, Andrew Dunstan wrote:

> Moreover, it seems unlikely that it will even cover the field. A partial 
> cloak might indeed be worse than none, in that it will give some developers 
> an illusion of having security.

I think this is a really important point, and one that isn't getting
enough attention in this discussion.   Half a security measure is
almost always worse than none at all, exactly because people stop
thinking they have to worry about that area of security at all.  I
think without a convincing argument that the proposal will even come
close to covering most SQL injection cases, it's a bad idea.

A

-- 
Andrew Sullivan
ajs@commandprompt.com
+1 503 667 4564 x104
http://www.commandprompt.com/

pgsql-hackers by date:

From: Andrew Dunstan
Date: 29 April 2008, 20:33:17
Subject: Re: Protection from SQL injection

From: Josh Berkus
Date: 29 April 2008, 21:06:42
Subject: Re: Protection from SQL injection

Re: Protection from SQL injection - Mailing list pgsql-hackers

Previous

Next