Re: Protection from SQL injection - Mailing list pgsql-hackers

From Andreas 'ads' Scherbaum
Subject Re: Protection from SQL injection
Date
Msg-id 20080430021921.6b179b9e@iridium.wars-nicht.de
Whole thread Raw
In response to Re: Protection from SQL injection  ("Thomas Mueller" <thomas.tom.mueller@gmail.com>)
List pgsql-hackers
On Tue, 29 Apr 2008 22:18:48 +0200 Thomas Mueller wrote:

> For PostgreSQL the 'disable literals' feature would be great
> publicity: PostgreSQL would be the first only major database that has
> a good story regarding SQL injection. Yes it's not the magic silver
> bullet, but databases like MS SQL Server, Oracle or MySQL would look
> really bad.

I don't think so.
Given the fact that enabling this feature by default would break almost
all applications, you have to disable this by default. No use here
because almost nobody will know about it. Oh, and i can see the
headlines: "New PostgreSQL feature breaks 99% applications".


> > Forbidding literals will break absolutely every SQL-using application on the planet
> 
> Well, it's optional. If a developer or admin wants to use it, he will
> know that it could mean some work.

The developers and admins who know about this feature and want to use
it are also the developers and admins who know about SQL injections.
Eventually the code quality produced by this ppl is higher than
average and less likely to have such basic faults.


> Even if the feature is not enabled, it's still good to have it.

Huh? How this?
Just because one can say "We have a feature against SQL injections"
which will not be used by literally anyone?


Kind regards

--             Andreas 'ads' Scherbaum
German PostgreSQL User Group


pgsql-hackers by date:

Previous
From: Josh Berkus
Date:
Subject: Re: Protection from SQL injection
Next
From: "Gurjeet Singh"
Date:
Subject: Re: Protection from SQL injection