Geoff Caplan wrote: > I'm new to Postgres and trying to get up to speed on the security > issues. There seems to be remarkably little Postgres specific stuff > on preventing SQL injection attacks.
If you use prepared statements (the details of which vary by programming language), you should be quite safe. > Most of the online literature is on MS SQL Server. There, the > consensus seems to be that the range of potential attacks is so wide > that attempting to spot attack signatures in posted data is a doomed > enterprise, and that the safest general approach for any dynamically > built query is to execute it as a stored procedure. That won't necessarily help you on PostgreSQL, because in stored procedures you can paste together queries from user-provided strings. -- Peter Eisentraut http://developer.postgresql.org/~petere/ ---------------------------(end of broadcast)--------------------------- TIP 8: explain analyze is your friend
