Re: PG 9.0 and standard_conforming_strings - Mailing list pgsql-hackers

From Andrew Dunstan
Subject Re: PG 9.0 and standard_conforming_strings
Date
Msg-id 4B69FF3D.9010107@dunslane.net
Whole thread Raw
In response to Re: PG 9.0 and standard_conforming_strings  (marcin mank <marcin.mank@gmail.com>)
Responses Re: PG 9.0 and standard_conforming_strings
List pgsql-hackers

marcin mank wrote:
> A certain prominent web framework has a nasty SQL injection bug when
> PG is configured with SCS. This bug is not present without SCS
> (details per email for interested PG hackers). I say, hold it off.
>
>
>   

Any web framework that interpolates user supplied values into SQL rather 
than using placeholders is broken from the get go, IMNSHO. I'm not 
saying that there aren't reasons to hold up moving to SCS, but this 
isn't one of them.

cheers

andrew


pgsql-hackers by date:

Previous
From: marcin mank
Date:
Subject: Re: PG 9.0 and standard_conforming_strings
Next
From: Marko Tiikkaja
Date:
Subject: Re: Review of Writeable CTE Patch