Greg Stark wrote:
Neil Conway <[EMAIL PROTECTED]> writes:
On Mon, 2006-07-03 at 23:28 -0400, Agent M wrote:
Why can't preparation be used as a global anti-injection facility?
All that work would need to be deferred to EXECUTE-time, which would largely
defeat the purpose of server-side prepared statements, no?
It would also defeat the anti-injection purpose. If you can use parameters to
change the semantics of the query then you're not really protected any more.
The whole security advantage of using parameters comes from knowing exactly
what a query will do with the data you provide.
Exactly. In particular, the suspect data should never hit the parser.
You can defeat that with a function call, of course, but you have to
work at it.
cheers
andrew
---------------------------(end of broadcast)---------------------------
TIP 5: don't forget to increase your free space map settings
