From: Andrew Dunstan on


marcin mank wrote:
> A certain prominent web framework has a nasty SQL injection bug when
> PG is configured with SCS. This bug is not present without SCS
> (details per email for interested PG hackers). I say, hold it off.
>
>
>

Any web framework that interpolates user supplied values into SQL rather
than using placeholders is broken from the get go, IMNSHO. I'm not
saying that there aren't reasons to hold up moving to SCS, but this
isn't one of them.

cheers

andrew

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Robert Haas on
On Wed, Feb 3, 2010 at 5:57 PM, Andrew Dunstan <andrew(a)dunslane.net> wrote:
> marcin mank wrote:
>> A certain prominent web framework has a nasty SQL injection bug when
>> PG is configured with SCS. This bug is not present without SCS
>> (details per email for interested PG hackers). I say, hold it off.
>
> Any web framework that interpolates user supplied values into SQL rather
> than using placeholders is broken from the get go, IMNSHO. I'm not saying
> that there aren't reasons to hold up moving to SCS, but this isn't one of
> them.

That seems more than slightly harsh. I've certainly come across
situations where interpolating values (with proper quoting of course)
made more sense than using placeholders. YMMV, of course.

....Robert

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: "David E. Wheeler" on
On Feb 3, 2010, at 6:16 PM, Robert Haas wrote:

>> Any web framework that interpolates user supplied values into SQL rather
>> than using placeholders is broken from the get go, IMNSHO. I'm not saying
>> that there aren't reasons to hold up moving to SCS, but this isn't one of
>> them.
>
> That seems more than slightly harsh. I've certainly come across
> situations where interpolating values (with proper quoting of course)
> made more sense than using placeholders. YMMV, of course.

Not if it leads to Little Bobby Tables's door when, you know, you use SQL conformant strings! Sounds like an app that needs its quoting function fixed.

Best,

David


--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Andrew Dunstan on


Robert Haas wrote:
> On Wed, Feb 3, 2010 at 5:57 PM, Andrew Dunstan <andrew(a)dunslane.net> wrote:
>
>> marcin mank wrote:
>>
>>> A certain prominent web framework has a nasty SQL injection bug when
>>> PG is configured with SCS. This bug is not present without SCS
>>> (details per email for interested PG hackers). I say, hold it off.
>>>
>> Any web framework that interpolates user supplied values into SQL rather
>> than using placeholders is broken from the get go, IMNSHO. I'm not saying
>> that there aren't reasons to hold up moving to SCS, but this isn't one of
>> them.
>>
>
> That seems more than slightly harsh. I've certainly come across
> situations where interpolating values (with proper quoting of course)
> made more sense than using placeholders. YMMV, of course.
>
>
>

How many injection attacks should we witness before deciding that the
best defence is to get out of the quoting/escaping game? Personally I
have reached that threshold.

Remember that this is a web *framework*, something that would ideally be
using best practice and heightened security awareness. There could be
cases where some applications with well known structures and queries
interpolate carefully sanitised values into SQL, but I very much doubt
that web app frameworks should be indulging in such practices. They
should go the extra mile, IMNSHO.

Anyway, I think this conversation is going slightly astray.

cheers

andrew

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers