So I'd like to pull this back to a few salient points. Weirdly,
some folks seem quick to dismiss the paper with a
didactic shot of "folks shouldn't code that way anyway"
which has nothing to do with the subject.
1. I think everyone on SC-L gets the idea of strong
patterns and implementations, and
If I understand this correctly, it's difficult to exploit because if you can
alter database types, you probably can send arbitrary SQL statements to the
database somehow already. In that case, what extra capabilities does this
attack give you?
When I design applications using Postgresql, I d
On Tue, 29 Apr 2008, Joe Teff wrote:
> > If I use Parameterized queries w/ binding of all variables, I'm 100%
> > immune to SQL Injection.
>
> Sure. You've protected one app and transferred risk to any other
> process/app that uses the data. If they use that data to create dynamic
> sql, then wha
> If I use Parameterized queries w/ binding of all variables, I'm 100%
> immune to SQL Injection.
Sure. You've protected one app and transferred risk to any other
process/app that uses the data. If they use that data to create dynamic
sql, then what?
jt
-Original Message-
From: Jim Man