Home > mailing lists

Re: binds only for s,u,i,d? - Mailing list pgsql-hackers

From	Greg Stark
Subject	Re: binds only for s,u,i,d?
Date	July 5, 2006 16:11:10
Msg-id	87irmcoww4.fsf@stark.xeocode.com Whole thread Raw
In response to	Re: binds only for s,u,i,d? (Neil Conway <neilc@samurai.com>)
Responses	Re: binds only for s,u,i,d? (Andrew Dunstan <andrew@dunslane.net>)
List	pgsql-hackers

Tree view

Neil Conway <neilc@samurai.com> writes:

> On Mon, 2006-07-03 at 23:28 -0400, Agent M wrote:
> 
> > Why can't preparation be used as a global anti-injection facility?
> 
> All that work would need to be deferred to EXECUTE-time, which would largely
> defeat the purpose of server-side prepared statements, no?

It would also defeat the anti-injection purpose. If you can use parameters to
change the semantics of the query then you're not really protected any more.
The whole security advantage of using parameters comes from knowing exactly
what a query will do with the data you provide.

-- 
greg

pgsql-hackers by date:

From: Greg Stark
Date: 05 July 2006, 16:00:21
Subject: Scan Keys

From: Andrew Dunstan
Date: 05 July 2006, 17:15:06
Subject: Re: binds only for s,u,i,d?

Re: binds only for s,u,i,d? - Mailing list pgsql-hackers

Previous

Next