> If you're going to ask people to do significant revision of their > apps to gain security, they're going to want it to work no matter > what database they run their apps against. This is why you need > a client-side solution such as tainting.
Or if people are going to re-write their applications anyway, we'd want at least a theoretically robust and flexible approach like libdejector, which lets you identify which parts of a query structure are modifiable and which are not. For example, some applications need to replace whole phrases: $criteria = "WHERE $var1 = '$var2'" This is a very common approach for dynamic search screens, and really not covered by placeholder approaches. -- --Josh Josh Berkus PostgreSQL @ Sun San Francisco -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
