On Sat, 12 Apr 2008 12:39:38 -0400 Tom Lane <tgl@xxxxxxxxxxxxx> wrote: > Ivan Sergio Borgonovo <mail@xxxxxxxxxxxxxxx> writes: > > I may sound naive but having a way to protect the DB from this > > kind of injections looks as a common problem, I'd thought there > > was already a common solution. > > Use prepared statements. Yeah... but how can I effectively enforce the policy that ALL input will be passed through prepared statements? If I can't, and I doubt there is a system that will let me enforce that policy at a reasonable cost, why not providing a safety net that will at least raise the bar for the attacker at a very cheap cost? If programmers didn't make errors or errors where cheap to find there wouldn't be any sql injection problem. -- Ivan Sergio Borgonovo http://www.webthatworks.it