Home > mailing lists

Re: binds only for s,u,i,d? - Mailing list pgsql-hackers

From	Andrew Dunstan
Subject	Re: binds only for s,u,i,d?
Date	July 5, 2006 17:15:06
Msg-id	44ABF34C.8040809@dunslane.net Whole thread Raw
In response to	Re: binds only for s,u,i,d? (Greg Stark <gsstark@mit.edu>)
List	pgsql-hackers

Tree view

Greg Stark wrote:

>Neil Conway <neilc@samurai.com> writes:
>
>  
>
>>On Mon, 2006-07-03 at 23:28 -0400, Agent M wrote:
>>
>>    
>>
>>>Why can't preparation be used as a global anti-injection facility?
>>>      
>>>
>>All that work would need to be deferred to EXECUTE-time, which would largely
>>defeat the purpose of server-side prepared statements, no?
>>    
>>
>
>It would also defeat the anti-injection purpose. If you can use parameters to
>change the semantics of the query then you're not really protected any more.
>The whole security advantage of using parameters comes from knowing exactly
>what a query will do with the data you provide.
>
>  
>
Exactly. In particular, the suspect data should never hit the parser. 
You can defeat that with a function call, of course, but you have to 
work at it.

cheers

andrew

pgsql-hackers by date:

From: Greg Stark
Date: 05 July 2006, 16:11:10
Subject: Re: binds only for s,u,i,d?

From: Phil Frost
Date: 05 July 2006, 18:51:19
Subject: lastval exposes information that currval does not

Re: binds only for s,u,i,d? - Mailing list pgsql-hackers

Previous

Next