Home > mailing lists

Re: Protection from SQL injection - Mailing list pgsql-hackers

From	Andrew Dunstan
Subject	Re: Protection from SQL injection
Date	April 29, 2008 20:33:17
Msg-id	481785FD.1020903@dunslane.net Whole thread Raw
In response to	Re: Protection from SQL injection ("Thomas Mueller" <thomas.tom.mueller@gmail.com>)
Responses	Re: Protection from SQL injection (Andrew Sullivan <ajs@commandprompt.com>)
List	pgsql-hackers

Tree view

Thomas Mueller wrote:
>> Forbidding literals will break absolutely every SQL-using application on the planet
>>     
>
> Well, it's optional. If a developer or admin wants to use it, he will
> know that it could mean some work. Even if the feature is not enabled,
> it's still good to have it. And using constants will help document the
> application.
>
>   
>   

What is not optional is the probably maintenance complexity of this scheme.

Moreover, it seems unlikely that it will even cover the field. A partial 
cloak might indeed be worse than none, in that it will give some 
developers an illusion of having security.

Before we embarked on such an enterprise, I would personally want to see 
fairly loud clamor from our user base for it.

cheers

andrew

pgsql-hackers by date:

From: "Thomas Mueller"
Date: 29 April 2008, 20:18:53
Subject: Re: Protection from SQL injection

From: Andrew Sullivan
Date: 29 April 2008, 20:55:38
Subject: Re: Protection from SQL injection

Re: Protection from SQL injection - Mailing list pgsql-hackers

Previous

Next