Home > mailing lists

Re: SQL injection - Mailing list pgsql-general

From	Kevin Murphy
Subject	Re: SQL injection
Date	November 1, 2005 12:27:43
Msg-id	43676D4A.9090908@genome.chop.edu Whole thread Raw
In response to	Re: SQL injection ("Matthew D. Fuller" <fullermd@over-yonder.net>)
Responses	Re: SQL injection (Tom Lane <tgl@sss.pgh.pa.us>) Re: SQL injection (Benjamin Smith <lists@benjamindsmith.com>)
List	pgsql-general

Tree view

Can some knowledgeable person set the record straight on SQL injection,
please?  I thought that the simple answer was to use prepared statements
with bind variables (except when you are letting the user specify whole
chunks of SQL, ugh), but there are many people posting who either don't
know about prepared statements or know something I don't.

Thanks,
Kevin Murphy

P.S.  I don't use PHP, but google informs me that PHP definitely has
prepared statement options: PEAR::DB, PDO in 5.X+, etc.

pgsql-general by date:

From: Jan Wieck
Date: 01 November 2005, 12:16:10
Subject: Re: Oracle 10g Express - any danger for Postgres?

From: Tom Lane
Date: 01 November 2005, 12:49:29
Subject: Re: Oracle 10g Express - any danger for Postgres?

Re: SQL injection - Mailing list pgsql-general

Previous

Next