Re: Protection from SQL injection - Mailing list pgsql-hackers

From Thomas Mueller
Subject Re: Protection from SQL injection
Date
Msg-id 5f211bd50804300542h50ece8b7r1f6ffd76daef8569@mail.gmail.com
Whole thread Raw
In response to Re: Protection from SQL injection  (Hannu Krosing <hannu@krosing.net>)
List pgsql-hackers
Hi,

> How many people are using literals in Java?

Not sure if I understood the question... In Java most people use
constants (final static). 'Checkstyle' can find 'magic numbers' in the
source code.

If the constants feature was very important in SQL, people would have
requested it, and it would be in the SQL standard by now. There is a
workaround: user defined functions.

> Disabling multi-statement commands

Disabling multi-statement commands just limits the effect of SQL
injection. Disabling literals actually protects from SQL injection.
Both features are important.

> ( almost ? ) the same result by doing all access using functions

This also doesn't protect from SQL injection, it only limits the effect.

> Half a security measure is almost always worse than none at all

Cars and houses have locks. Locks can't fully protect you. Do they
give the illusion security? Maybe. But it's definitely better to have
them.

> headlines: "New PostgreSQL feature breaks 99% applications"

Not if it's disabled by default. What about "New PostgreSQL feature
offers 95% protection from SQL injection"?

> The developers and admins who know about this feature and want to use it...
> quality produced by this ppl is higher than average and less likely to have such basic faults.

Maybe. I found some problems in my code when enabling this feature,
and I thought I was save (or paranoid :-).

Regards,
Thomas


pgsql-hackers by date:

Previous
From: Andrew Sullivan
Date:
Subject: Re: Protection from SQL injection
Next
From: Tom Lane
Date:
Subject: Re: Proposed patch - psql wraps at window width