Thread: Re: Your FAQ page :-)

> > Applications which use parameterized prepared statement syntax
> > exclusively (e.g. "SELECT * FROM table WHERE id = ?", $var1).
> >
> >
> > Umm. AFAIK that's only true if the client library actually uses
> > paremetrised queries over the wire, which I'm quite sure
> all don't. I
> > beleive PHP doesn't, at leas tnot until the very latest
> version, for
> > example.
>
> Hmmm.  Can you think of a way to re-word that without doing
> an entire paragraph?

The wording I have for the bugtraq post (out in a couple of minutes) is:
* If application always sends untrusted strings as out-of-line
parameters,
  instead of embedding them into SQL commands, it is not vulnerable.
This is
  only available in PostgreSQL 7.4 or later.

Based on Toms suggestion.

Though that may be a bit too technical? ;)

//Magnus

Magnus,

> The wording I have for the bugtraq post (out in a couple of minutes) is:
> * If application always sends untrusted strings as out-of-line
> parameters,
>   instead of embedding them into SQL commands, it is not vulnerable.
> This is
>   only available in PostgreSQL 7.4 or later.

Fixed.  I love CMSes, even when they're buggy.  ;-)

--
Josh Berkus
PostgreSQL @ Sun
San Francisco

BTW, I notice that http://www.postgresql.org/docs/techdocs.52
points for "release notes" to
http://www.postgresql.org/docs/8.1/static/release.html, which
is not up to date.

A quick fix is to point to devel docs instead:
http://developer.postgresql.org/docs/postgres/release.html

Someone should update the website copies of the docs, but I dunno
when that will happen.

            regards, tom lane

Tom,

> A quick fix is to point to devel docs instead:
> http://developer.postgresql.org/docs/postgres/release.html

Fixed, temporarily.

--
Josh Berkus
PostgreSQL @ Sun
San Francisco