Search Postgresql Archives

Re: SQL injection, php and queueing multiple statement

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Apr 13, 2008 at 10:37:52AM +0200, Ivan Sergio Borgonovo wrote:
> > Because you appear to be seeking something to protect against 
> > programmers who do not follow coding guidelines, and that should
> > help even if code review processes fail to catch the problem. Were
> > that not the case you'd be able to use some of the other
> > suggestions made here. I quote:
> 
> Default 1 statement, switch to more than one have to be "voluntary"
> and "conscious" and can be easily spotted with grep only.

It's not quite so simple, there are backward compatability issues.
Postgres supported multiple queries in one string since forever and
there is a huge amount of code written and still being written that
takes advantage of this. Most in contexts where SQL injection is simply
not an issue since they're static queries.

PQexec("BEGIN; CREATE TABLE ... ; CREATE TABLE ...; etc; COMMIT;");

For dynamic queries people were using prepared statements already so it
made sense to restrict it for prepared statements and leave one-shot
queries alone. You are advocating catering to a coding style that has
been discouraged for years.

If you want definitive answer I suppose you need to check the archives
at the time this decision was made, which is quite some time back.

Have a nice day,
-- 
Martijn van Oosterhout   <kleptog@xxxxxxxxx>   http://svana.org/kleptog/
> Please line up in a tree and maintain the heap invariant while 
> boarding. Thank you for flying nlogn airlines.

Attachment: signature.asc
Description: Digital signature


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux