Prev: [HACKERS] PG 9.0 and standard_conforming_strings
Next: Package namespace and Safe init cleanup for plperl [PATCH]
From: Andrew Dunstan on 3 Feb 2010 17:57 marcin mank wrote: > A certain prominent web framework has a nasty SQL injection bug when > PG is configured with SCS. This bug is not present without SCS > (details per email for interested PG hackers). I say, hold it off. > > > Any web framework that interpolates user supplied values into SQL rather than using placeholders is broken from the get go, IMNSHO. I'm not saying that there aren't reasons to hold up moving to SCS, but this isn't one of them. cheers andrew -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: Robert Haas on 3 Feb 2010 21:16 On Wed, Feb 3, 2010 at 5:57 PM, Andrew Dunstan <andrew(a)dunslane.net> wrote: > marcin mank wrote: >> A certain prominent web framework has a nasty SQL injection bug when >> PG is configured with SCS. This bug is not present without SCS >> (details per email for interested PG hackers). I say, hold it off. > > Any web framework that interpolates user supplied values into SQL rather > than using placeholders is broken from the get go, IMNSHO. I'm not saying > that there aren't reasons to hold up moving to SCS, but this isn't one of > them. That seems more than slightly harsh. I've certainly come across situations where interpolating values (with proper quoting of course) made more sense than using placeholders. YMMV, of course. ....Robert -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: "David E. Wheeler" on 4 Feb 2010 12:12 On Feb 3, 2010, at 6:16 PM, Robert Haas wrote: >> Any web framework that interpolates user supplied values into SQL rather >> than using placeholders is broken from the get go, IMNSHO. I'm not saying >> that there aren't reasons to hold up moving to SCS, but this isn't one of >> them. > > That seems more than slightly harsh. I've certainly come across > situations where interpolating values (with proper quoting of course) > made more sense than using placeholders. YMMV, of course. Not if it leads to Little Bobby Tables's door when, you know, you use SQL conformant strings! Sounds like an app that needs its quoting function fixed. Best, David -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: Andrew Dunstan on 4 Feb 2010 12:28
Robert Haas wrote: > On Wed, Feb 3, 2010 at 5:57 PM, Andrew Dunstan <andrew(a)dunslane.net> wrote: > >> marcin mank wrote: >> >>> A certain prominent web framework has a nasty SQL injection bug when >>> PG is configured with SCS. This bug is not present without SCS >>> (details per email for interested PG hackers). I say, hold it off. >>> >> Any web framework that interpolates user supplied values into SQL rather >> than using placeholders is broken from the get go, IMNSHO. I'm not saying >> that there aren't reasons to hold up moving to SCS, but this isn't one of >> them. >> > > That seems more than slightly harsh. I've certainly come across > situations where interpolating values (with proper quoting of course) > made more sense than using placeholders. YMMV, of course. > > > How many injection attacks should we witness before deciding that the best defence is to get out of the quoting/escaping game? Personally I have reached that threshold. Remember that this is a web *framework*, something that would ideally be using best practice and heightened security awareness. There could be cases where some applications with well known structures and queries interpolate carefully sanitised values into SQL, but I very much doubt that web app frameworks should be indulging in such practices. They should go the extra mile, IMNSHO. Anyway, I think this conversation is going slightly astray. cheers andrew -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers |