On Wed, Feb 3, 2010 at 5:57 PM, Andrew Dunstan <and...@dunslane.net> wrote: > marcin mank wrote: >> A certain prominent web framework has a nasty SQL injection bug when >> PG is configured with SCS. This bug is not present without SCS >> (details per email for interested PG hackers). I say, hold it off. > > Any web framework that interpolates user supplied values into SQL rather > than using placeholders is broken from the get go, IMNSHO. I'm not saying > that there aren't reasons to hold up moving to SCS, but this isn't one of > them.
That seems more than slightly harsh. I've certainly come across situations where interpolating values (with proper quoting of course) made more sense than using placeholders. YMMV, of course. ...Robert -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers