Robert Haas wrote:
On Wed, Feb 3, 2010 at 5:57 PM, Andrew Dunstan <and...@dunslane.net> wrote:
marcin mank wrote:
A certain prominent web framework has a nasty SQL injection bug when
PG is configured with SCS. This bug is not present without SCS
(details per email for interested PG hackers). I say, hold it off.
Any web framework that interpolates user supplied values into SQL rather
than using placeholders is broken from the get go, IMNSHO. I'm not saying
that there aren't reasons to hold up moving to SCS, but this isn't one of
them.
That seems more than slightly harsh. I've certainly come across
situations where interpolating values (with proper quoting of course)
made more sense than using placeholders. YMMV, of course.
How many injection attacks should we witness before deciding that the
best defence is to get out of the quoting/escaping game? Personally I
have reached that threshold.
Remember that this is a web *framework*, something that would ideally be
using best practice and heightened security awareness. There could be
cases where some applications with well known structures and queries
interpolate carefully sanitised values into SQL, but I very much doubt
that web app frameworks should be indulging in such practices. They
should go the extra mile, IMNSHO.
Anyway, I think this conversation is going slightly astray.
cheers
andrew
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
