Home > mailing lists

Re: HIPPA (was Re: Anyone know ...) - Mailing list pgsql-general

From	Kenneth Downs
Subject	Re: HIPPA (was Re: Anyone know ...)
Date	March 9, 2007 17:53:41
Msg-id	45F1AD1B.7000602@secdat.com Whole thread Raw
In response to	Re: HIPPA (was Re: Anyone know ...) (Kevin Hunter <hunteke@earlham.edu>)
List	pgsql-general

Tree view

Kevin Hunter wrote:
>>> What about an SQL injection bug that allows for increased privileges?
>>
>> Um, web programming 101 is that you escape quotes on user-supplied
>> inputs.  That ends SQL injection.
>
> Pardon my naivete (I'm fairly new to web/DB programming) . . . is this
> the current standard method of protection from SQL injection?  How
> does it compare to SQL preparation with bound variables?

When you use SQL Prepared statements it is normal for the db driver to
escape out the variables for you.  Well at least it is in PHP, I can't
say for other systems.

>
> Kevin

pgsql-general by date:

From: Richard Broersma Jr
Date: 09 March 2007, 17:46:26
Subject: Re: Sw to generate ER model

From: Scott Marlowe
Date: 09 March 2007, 17:57:41
Subject: Re: "oracle to postgresql" conversion

Re: HIPPA (was Re: Anyone know ...) - Mailing list pgsql-general

Previous

Next