Doug,
DM> Geoff Caplan <geoff@variosoft.com> writes:
>> But in web work, you are often using GET/POST data directly in your
>> SQL clauses, so the untrusted data is part of the query syntax and not
>> just a value.
DM> Can you give an example of this that isn't also an example of
DM> obviously bad application design?
I'm no expert to put it mildly, but if you Google for "SQL Injection
Attack" you'll find a lot of papers by security agencies and
consultancies. You could start with these:
www.nextgenss.com/papers/advanced_sql_injection.pdf
http://www.net-security.org/article.php?id=142
They are SQL Server oriented, but many of the issues would apply to
Postgres.
------------------
Geoff Caplan
Vario Software Ltd
(+44) 121-515 1154
