"Andrew Sullivan" <[EMAIL PROTECTED]> writes: > The _principal_ trick with SQL injection is to fool the application > into somehow handing a ";" followed by an arbitrary SQL statement. > There are of course other things one can do, but most of them are > constrained to abuse of statements your application already performs. > This injection problem, on the other hand, allows an attacker to do > whatever they want.
They're the principal trick only because they're the most convenient. If you block them (as you can today by using PQExecParams() !!!) then people will switch to other things. c.f. http://www.areino.com/hackeando/ (there is a semicolon here but that's a microsoft-ism, postgres would actually be more affected by this style of attack without the semicolon) -- Gregory Stark EnterpriseDB http://www.enterprisedb.com Ask me about EnterpriseDB's Slony Replication support! -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
