Weimer@CERT.Uni-Stuttgart.DE (Florian Weimer) wrote
> ngpg@grymmjack.com writes:
>
>> if you are going to be passing any user input to the database, you
>> must/should validate in some manner before blindly passing it to the db.
>> The db can and should guarantee data integrity, but the database cannot
>> read your mind when it comes to how you structure your queries.
>
> [example of SQL injection attack deleted]
>
> This is not the problem at hand. SQL injection attacks can be avoided
> easily. Bugs in the conversion of strings to internal PostgreSQL
> objects are a different matter, though, and usually, devastating
> effects cannot be avoided by (reasonably complex) checks in the
> frontend.
>
yeah i wasnt aware that adding a if(strlen($input) > SOME_REASONABLE_MAX)
was complex. the sql injection attack was just an(other) example of why
you do not simply forward user input to the backend. all i was trying to
point out is that most of these buffer overflows in the backend can be
avoided just as easily as the sql injection attack.