[EMAIL PROTECTED] writes: > if you are going to be passing any user input to the database, you > must/should validate in some manner before blindly passing it to the db. > The db can and should guarantee data integrity, but the database cannot > read your mind when it comes to how you structure your queries.
[example of SQL injection attack deleted] This is not the problem at hand. SQL injection attacks can be avoided easily. Bugs in the conversion of strings to internal PostgreSQL objects are a different matter, though, and usually, devastating effects cannot be avoided by (reasonably complex) checks in the frontend. -- Florian Weimer [EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT fax +49-711-685-5898 ---------------------------(end of broadcast)--------------------------- TIP 6: Have you searched our list archives? http://archives.postgresql.org
