Re: Sql injection attacks - Mailing list pgsql-general

From Tom Allison
Subject Re: Sql injection attacks
Date
Msg-id 4105EF1E.2020901@tacocat.net
Whole thread Raw
In response to Re: Sql injection attacks  (Geoff Caplan <geoff@variosoft.com>)
Responses Re: Sql injection attacks
Sequences & rules
List pgsql-general
Geoff Caplan wrote:
> Hi folks
>
> Seems we have two schools of thought:
>
> 1) The validation/escaping approach, supported by Bill and Jim
>
> 2) The "don't mix data with code" approach supported by Peter and
> Greg.
>
> As I learn more about the issues, I am increasingly veering towards
> the second approach.
>


Now I always assumed that the correct approach was always going to be
D) ALL of the above.

Furthermore, if you are really concerned about passing information
through the URL, consider relating data in your database to sessions,
cookies, and file caches to aliase all those fields you pass back and
forth to a session ID or similar.  The example of "...index.html?id=34"
is sufficient for much of this though I doubt 'zine articles merit
greater security than this.


pgsql-general by date:

Previous
From: Tom Allison
Date:
Subject: Re: Sql injection attacks
Next
From: Pierre-Frédéric Caillaud
Date:
Subject: Re: Sql injection attacks