Home > mailing lists

Re: PG 9.0 and standard_conforming_strings - Mailing list pgsql-hackers

From	Andrew Dunstan
Subject	Re: PG 9.0 and standard_conforming_strings
Date	February 3, 2010 21:57:18
Msg-id	4B69FF3D.9010107@dunslane.net Whole thread Raw
In response to	Re: PG 9.0 and standard_conforming_strings (marcin mank <marcin.mank@gmail.com>)
Responses	Re: PG 9.0 and standard_conforming_strings (Robert Haas <robertmhaas@gmail.com>)
List	pgsql-hackers

Tree view

marcin mank wrote:
> A certain prominent web framework has a nasty SQL injection bug when
> PG is configured with SCS. This bug is not present without SCS
> (details per email for interested PG hackers). I say, hold it off.
>
>
>   

Any web framework that interpolates user supplied values into SQL rather 
than using placeholders is broken from the get go, IMNSHO. I'm not 
saying that there aren't reasons to hold up moving to SCS, but this 
isn't one of them.

cheers

andrew

pgsql-hackers by date:

From: marcin mank
Date: 03 February 2010, 21:40:08
Subject: Re: PG 9.0 and standard_conforming_strings

From: Marko Tiikkaja
Date: 03 February 2010, 22:05:03
Subject: Re: Review of Writeable CTE Patch

Re: PG 9.0 and standard_conforming_strings - Mailing list pgsql-hackers

Previous

Next