Thread: Re: Your FAQ page :-)
> > Applications which use parameterized prepared statement syntax > > exclusively (e.g. "SELECT * FROM table WHERE id = ?", $var1). > > > > > > Umm. AFAIK that's only true if the client library actually uses > > paremetrised queries over the wire, which I'm quite sure > all don't. I > > beleive PHP doesn't, at leas tnot until the very latest > version, for > > example. > > Hmmm. Can you think of a way to re-word that without doing > an entire paragraph? The wording I have for the bugtraq post (out in a couple of minutes) is: * If application always sends untrusted strings as out-of-line parameters, instead of embedding them into SQL commands, it is not vulnerable. This is only available in PostgreSQL 7.4 or later. Based on Toms suggestion. Though that may be a bit too technical? ;) //Magnus
Magnus, > The wording I have for the bugtraq post (out in a couple of minutes) is: > * If application always sends untrusted strings as out-of-line > parameters, > instead of embedding them into SQL commands, it is not vulnerable. > This is > only available in PostgreSQL 7.4 or later. Fixed. I love CMSes, even when they're buggy. ;-) -- Josh Berkus PostgreSQL @ Sun San Francisco
BTW, I notice that http://www.postgresql.org/docs/techdocs.52 points for "release notes" to http://www.postgresql.org/docs/8.1/static/release.html, which is not up to date. A quick fix is to point to devel docs instead: http://developer.postgresql.org/docs/postgres/release.html Someone should update the website copies of the docs, but I dunno when that will happen. regards, tom lane
Tom, > A quick fix is to point to devel docs instead: > http://developer.postgresql.org/docs/postgres/release.html Fixed, temporarily. -- Josh Berkus PostgreSQL @ Sun San Francisco