On Sat, 12 Apr 2008 12:39:38 -0400 Tom Lane <[EMAIL PROTECTED]> wrote:
> Ivan Sergio Borgonovo <[EMAIL PROTECTED]> writes: > > I may sound naive but having a way to protect the DB from this > > kind of injections looks as a common problem, I'd thought there > > was already a common solution. > > Use prepared statements. Yeah... but how can I effectively enforce the policy that ALL input will be passed through prepared statements? If I can't, and I doubt there is a system that will let me enforce that policy at a reasonable cost, why not providing a safety net that will at least raise the bar for the attacker at a very cheap cost? If programmers didn't make errors or errors where cheap to find there wouldn't be any sql injection problem. -- Ivan Sergio Borgonovo http://www.webthatworks.it -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
