Greg Stark wrote:
>Neil Conway <neilc@samurai.com> writes:
>
>
>
>>On Mon, 2006-07-03 at 23:28 -0400, Agent M wrote:
>>
>>
>>
>>>Why can't preparation be used as a global anti-injection facility?
>>>
>>>
>>All that work would need to be deferred to EXECUTE-time, which would largely
>>defeat the purpose of server-side prepared statements, no?
>>
>>
>
>It would also defeat the anti-injection purpose. If you can use parameters to
>change the semantics of the query then you're not really protected any more.
>The whole security advantage of using parameters comes from knowing exactly
>what a query will do with the data you provide.
>
>
>
Exactly. In particular, the suspect data should never hit the parser.
You can defeat that with a function call, of course, but you have to
work at it.
cheers
andrew