Hi, > How many people are using literals in Java?
Not sure if I understood the question... In Java most people use constants (final static). 'Checkstyle' can find 'magic numbers' in the source code. If the constants feature was very important in SQL, people would have requested it, and it would be in the SQL standard by now. There is a workaround: user defined functions. > Disabling multi-statement commands Disabling multi-statement commands just limits the effect of SQL injection. Disabling literals actually protects from SQL injection. Both features are important. > ( almost ? ) the same result by doing all access using functions This also doesn't protect from SQL injection, it only limits the effect. > Half a security measure is almost always worse than none at all Cars and houses have locks. Locks can't fully protect you. Do they give the illusion security? Maybe. But it's definitely better to have them. > headlines: "New PostgreSQL feature breaks 99% applications" Not if it's disabled by default. What about "New PostgreSQL feature offers 95% protection from SQL injection"? > The developers and admins who know about this feature and want to use it... > quality produced by this ppl is higher than average and less likely to have > such basic faults. Maybe. I found some problems in my code when enabling this feature, and I thought I was save (or paranoid :-). Regards, Thomas -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers