-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160
> How often do people code comments into prepare statements in perl > or the equivalent in java, ruby, etc? > > Do you put comments in your perl prepare statements? Does it matter? It shouldn't. They are comments. > If comments count as a statement, at the server end, then the > multi-statement disabling also disables another attack vector - > slightly: you can no longer attack using this as your username: > "' OR 1=1;--" Using placeholders and other best practices removes such attacks completely. I mostly agree with some other people in this thread that the 'disable multi-line switch' is marginally useful at best, and provides a false sense of security. But let's not confuse the issue with examples like the above. Otherwise I'll point out yet again that this whole things a solution in search of a problem. Poorly written apps will remain poorly written apps, no matter what server-side bandaids we try to apply. - -- Greg Sabino Mullane [EMAIL PROTECTED] PGP Key: 0x14964AC8 200805051559 http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 -----BEGIN PGP SIGNATURE----- iEYEAREDAAYFAkgfZzcACgkQvJuQZxSWSsjAoACg6UKhb2r94khikeOfT2cUOGhD vh0AoIY/8dSH4tkmsLxl2Jkpbn7/u3+4 =hGCo -----END PGP SIGNATURE----- -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
