Re: Sql injection attacks - Mailing list pgsql-general

From Tom Lane
Subject Re: Sql injection attacks
Date
Msg-id 27702.1090854781@sss.pgh.pa.us
Whole thread Raw
In response to Re: Sql injection attacks  (Geoff Caplan <geoff@variosoft.com>)
Responses Re: Sql injection attacks
List pgsql-general
Geoff Caplan <geoff@variosoft.com> writes:
> Obviously, proper validation is a given for all kinds of reasons. But
> the problem with validation/escaping as the primary defense against
> injection seems to be that simply escaping would not catch every type
> of insertion via strings.

I think you misunderstood.  Escaping is perfectly safe (given a correct
escaping function) if it's used on *every* untrustworthy input string.
The argument for the "keep data separate from code" approach is
essentially just that it's easier to be sure you haven't forgotten
anyplace where you need to escape.

            regards, tom lane

pgsql-general by date:

Previous
From: Lincoln Yeoh
Date:
Subject: Re: Sql injection attacks
Next
From: Geoff Caplan
Date:
Subject: Re: Sql injection attacks