Home > mailing lists

Re: Protection from SQL injection - Mailing list pgsql-sql

From	Thomas Mueller
Subject	Re: Protection from SQL injection
Date	April 26, 2008 18:19:49
Msg-id	5f211bd50804261119x25c6d488hec0cde5bab189ac5@mail.gmail.com Whole thread Raw
In response to	Re: Protection from SQL injection ("Jaime Casanova" <systemguards@gmail.com>)
Responses	Re: Protection from SQL injection
List	pgsql-sql

Tree view

Hi,

>  > The 'ALLOW_LITERALS NONE' mode is enabled by the developer itself, or
>  > by an administrator.
>  then it solves nothing...
>  what if the developer never SET ALLOW_LITERALS NONE

As I have said, the 'ALLOW_LITERALS NONE' mode is enabled by the
developer itself, or by an administrator. The developer may be lazy,
but the administrator can enforce this policy.

>  maybe i can inject "select * from tab where intcol = intcol; set
>  allow_literals all; add any query you want"

How do you inject this? How would the application looks like where
this can be injected?

Regards,
Thomas

pgsql-sql by date:

From: "Thomas Mueller"
Date: 26 April 2008, 18:17:02
Subject: Fwd: Protection from SQL injection

From: "Jaime Casanova"
Date: 26 April 2008, 21:31:52
Subject: Re: Protection from SQL injection

Re: Protection from SQL injection - Mailing list pgsql-sql

Previous

Next