Home > mailing lists

Re: Sql injection attacks - Mailing list pgsql-general

From	Tom Allison
Subject	Re: Sql injection attacks
Date	July 27, 2004 05:59:23
Msg-id	4105EF1E.2020901@tacocat.net Whole thread Raw
In response to	Re: Sql injection attacks (Geoff Caplan <geoff@variosoft.com>)
Responses	Re: Sql injection attacks (Pierre-Frédéric Caillaud<lists@boutiquenumerique.com>) Sequences & rules (Pierre-Frédéric Caillaud<lists@boutiquenumerique.com>)
List	pgsql-general

Tree view

Geoff Caplan wrote:
> Hi folks
>
> Seems we have two schools of thought:
>
> 1) The validation/escaping approach, supported by Bill and Jim
>
> 2) The "don't mix data with code" approach supported by Peter and
> Greg.
>
> As I learn more about the issues, I am increasingly veering towards
> the second approach.
>

Now I always assumed that the correct approach was always going to be
D) ALL of the above.

Furthermore, if you are really concerned about passing information
through the URL, consider relating data in your database to sessions,
cookies, and file caches to aliase all those fields you pass back and
forth to a session ID or similar.  The example of "...index.html?id=34"
is sufficient for much of this though I doubt 'zine articles merit
greater security than this.

pgsql-general by date:

From: Tom Allison
Date: 27 July 2004, 05:51:51
Subject: Re: Sql injection attacks

From: Pierre-Frédéric Caillaud
Date: 27 July 2004, 06:37:27
Subject: Re: Sql injection attacks

Re: Sql injection attacks - Mailing list pgsql-general

Previous

Next