On Jun 15, 2006, at 1:20 PM, Geo Carncross wrote:
This might actually be easier- All three supported databases (in a
way)
support a concept of access controls. With MySQL and Pg, each
"mailbox"
could be given a separate table (unless per-row grant rights are
possible), and then it'd be the SQL servers' job. Something they've
already got to spend a lot of effort into.
At best that only limits the amount of damage an injection attack can
do. If you want to protect against injection attacks, the only
logical way to do it is to use bound parameters.
That doesn't mean that using appropriate database security isn't a
good thing... it is.
