> > Applications which use parameterized prepared statement syntax
> > exclusively (e.g. "SELECT * FROM table WHERE id = ?", $var1).
> >
> >
> > Umm. AFAIK that's only true if the client library actually uses
> > paremetrised queries over the wire, which I'm quite sure
> all don't. I
> > beleive PHP doesn't, at leas tnot until the very latest
> version, for
> > example.
>
> Hmmm. Can you think of a way to re-word that without doing
> an entire paragraph?
The wording I have for the bugtraq post (out in a couple of minutes) is:
* If application always sends untrusted strings as out-of-line
parameters,
instead of embedding them into SQL commands, it is not vulnerable.
This is
only available in PostgreSQL 7.4 or later.
Based on Toms suggestion.
Though that may be a bit too technical? ;)
//Magnus
