Home > mailing lists

Re: PG 9.0 and standard_conforming_strings - Mailing list pgsql-hackers

From	Robert Haas
Subject	Re: PG 9.0 and standard_conforming_strings
Date	February 4, 2010 01:16:57
Msg-id	603c8f071002031816l1262ba1bne30e0fedbb4b1744@mail.gmail.com Whole thread Raw
In response to	Re: PG 9.0 and standard_conforming_strings (Andrew Dunstan <andrew@dunslane.net>)
Responses	Re: PG 9.0 and standard_conforming_strings Re: PG 9.0 and standard_conforming_strings
List	pgsql-hackers

Tree view

On Wed, Feb 3, 2010 at 5:57 PM, Andrew Dunstan <andrew@dunslane.net> wrote:
> marcin mank wrote:
>> A certain prominent web framework has a nasty SQL injection bug when
>> PG is configured with SCS. This bug is not present without SCS
>> (details per email for interested PG hackers). I say, hold it off.
>
> Any web framework that interpolates user supplied values into SQL rather
> than using placeholders is broken from the get go, IMNSHO. I'm not saying
> that there aren't reasons to hold up moving to SCS, but this isn't one of
> them.

That seems more than slightly harsh.  I've certainly come across
situations where interpolating values (with proper quoting of course)
made more sense than using placeholders.  YMMV, of course.

...Robert

pgsql-hackers by date:

From: Robert Haas
Date: 04 February 2010, 01:13:25
Subject: Re: Add on_trusted_init and on_untrusted_init to plperl UPDATED [PATCH]

From: Robert Haas
Date: 04 February 2010, 01:27:47
Subject: Re: [CFReview] Red-Black Tree

Re: PG 9.0 and standard_conforming_strings - Mailing list pgsql-hackers

Previous

Next