"pepone.onrez" <pepone.onrez@xxxxxxxxx> writes: > Hi all > > I interesting in the protect my applications that use postgresql as is > database backend from Sql Injections attacks, can any recommend me best > pratices or references to protected postgres from this kind of malicious > users. I strongly urge people to adopt a policy of using prepared queries except when absolutely necessary. If all user-provided data is passed to the database as parameters to a prepared query then you should never need to worry about SQL injection. It's possible to always quote your parameters before inserting them into the query but it's much more error-prone. It's also much harder to look at a piece of code and be sure it's correct. If you religiously use prepared queries then any variables interpolated directly into the query stand out like sore thumbs. -- Gregory Stark EnterpriseDB http://www.enterprisedb.com Ask me about EnterpriseDB's 24x7 Postgres support! ---------------------------(end of broadcast)--------------------------- TIP 6: explain analyze is your friend
