[EMAIL PROTECTED] (Florian Weimer) wrote > [EMAIL PROTECTED] writes: > >> if you are going to be passing any user input to the database, you >> must/should validate in some manner before blindly passing it to the db. >> The db can and should guarantee data integrity, but the database cannot >> read your mind when it comes to how you structure your queries. > > [example of SQL injection attack deleted] > > This is not the problem at hand. SQL injection attacks can be avoided > easily. Bugs in the conversion of strings to internal PostgreSQL > objects are a different matter, though, and usually, devastating > effects cannot be avoided by (reasonably complex) checks in the > frontend. >
yeah i wasnt aware that adding a if(strlen($input) > SOME_REASONABLE_MAX) was complex. the sql injection attack was just an(other) example of why you do not simply forward user input to the backend. all i was trying to point out is that most of these buffer overflows in the backend can be avoided just as easily as the sql injection attack. ---------------------------(end of broadcast)--------------------------- TIP 4: Don't 'kill -9' the postmaster
