ngpg@grymmjack.com writes:
> if you are going to be passing any user input to the database, you
> must/should validate in some manner before blindly passing it to the db.
> The db can and should guarantee data integrity, but the database cannot
> read your mind when it comes to how you structure your queries.
[example of SQL injection attack deleted]
This is not the problem at hand. SQL injection attacks can be avoided
easily. Bugs in the conversion of strings to internal PostgreSQL
objects are a different matter, though, and usually, devastating
effects cannot be avoided by (reasonably complex) checks in the
frontend.
--
Florian Weimer Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT fax +49-711-685-5898