Re: Your FAQ page :-)

public inbox for [email protected]  
help / color / mirror / Atom feed

Re: Your FAQ page :-)
7+ messages / 3 participants
[nested] [flat]

* Re: Your FAQ page :-)
@ 2006-05-23 17:31 Josh Berkus <[email protected]>
  0 siblings, 0 replies; 7+ messages in thread

From: Josh Berkus @ 2006-05-23 17:31 UTC (permalink / raw)
  To: Magnus Hagander <[email protected]>; +Cc: pgsql-www

Magnus,

> Applications which use parameterized prepared statement syntax
> exclusively (e.g. "SELECT * FROM table WHERE id = ?", $var1).
>
>
> Umm. AFAIK that's only true if the client library actually uses
> paremetrised queries over the wire, which I'm quite sure all don't. I
> beleive PHP doesn't, at leas tnot until the very latest version, for
> example.

Hmmm.  Can you think of a way to re-word that without doing an entire 
paragraph?

-- 
Josh Berkus
PostgreSQL @ Sun
San Francisco




^ permalink  raw  reply  [nested|flat] 7+ messages in thread

* Re: Your FAQ page :-)
@ 2006-05-23 17:33 Magnus Hagander <[email protected]>
  2006-05-23 17:41 ` Re: Your FAQ page :-) Josh Berkus <[email protected]>
  0 siblings, 1 reply; 7+ messages in thread

From: Magnus Hagander @ 2006-05-23 17:33 UTC (permalink / raw)
  To: Josh Berkus <[email protected]>; +Cc: pgsql-www

> > Applications which use parameterized prepared statement syntax 
> > exclusively (e.g. "SELECT * FROM table WHERE id = ?", $var1).
> >
> >
> > Umm. AFAIK that's only true if the client library actually uses 
> > paremetrised queries over the wire, which I'm quite sure 
> all don't. I 
> > beleive PHP doesn't, at leas tnot until the very latest 
> version, for 
> > example.
> 
> Hmmm.  Can you think of a way to re-word that without doing 
> an entire paragraph?

The wording I have for the bugtraq post (out in a couple of minutes) is:
* If application always sends untrusted strings as out-of-line
parameters,
  instead of embedding them into SQL commands, it is not vulnerable.
This is
  only available in PostgreSQL 7.4 or later.

Based on Toms suggestion.

Though that may be a bit too technical? ;)

//Magnus



^ permalink  raw  reply  [nested|flat] 7+ messages in thread

* Re: Your FAQ page :-)
  2006-05-23 17:33 Re: Your FAQ page :-) Magnus Hagander <[email protected]>
@ 2006-05-23 17:41 ` Josh Berkus <[email protected]>
  2006-05-23 17:46   ` Re: Your FAQ page :-) Tom Lane <[email protected]>
  0 siblings, 1 reply; 7+ messages in thread

From: Josh Berkus @ 2006-05-23 17:41 UTC (permalink / raw)
  To: Magnus Hagander <[email protected]>; +Cc: pgsql-www

Magnus,

> The wording I have for the bugtraq post (out in a couple of minutes) is:
> * If application always sends untrusted strings as out-of-line
> parameters,
>   instead of embedding them into SQL commands, it is not vulnerable.
> This is
>   only available in PostgreSQL 7.4 or later.

Fixed.  I love CMSes, even when they're buggy.  ;-)

-- 
Josh Berkus
PostgreSQL @ Sun
San Francisco



^ permalink  raw  reply  [nested|flat] 7+ messages in thread

* Re: Your FAQ page :-)
  2006-05-23 17:33 Re: Your FAQ page :-) Magnus Hagander <[email protected]>
  2006-05-23 17:41 ` Re: Your FAQ page :-) Josh Berkus <[email protected]>
@ 2006-05-23 17:46   ` Tom Lane <[email protected]>
  2006-05-23 17:48     ` Re: Your FAQ page :-) Josh Berkus <[email protected]>
  0 siblings, 1 reply; 7+ messages in thread

From: Tom Lane @ 2006-05-23 17:46 UTC (permalink / raw)
  To: Josh Berkus <[email protected]>; +Cc: pgsql-www

BTW, I notice that http://www.postgresql.org/docs/techdocs.52
points for "release notes" to
http://www.postgresql.org/docs/8.1/static/release.html, which
is not up to date.

A quick fix is to point to devel docs instead:
http://developer.postgresql.org/docs/postgres/release.html

Someone should update the website copies of the docs, but I dunno
when that will happen.

			regards, tom lane



^ permalink  raw  reply  [nested|flat] 7+ messages in thread

* Re: Your FAQ page :-)
  2006-05-23 17:33 Re: Your FAQ page :-) Magnus Hagander <[email protected]>
  2006-05-23 17:41 ` Re: Your FAQ page :-) Josh Berkus <[email protected]>
  2006-05-23 17:46   ` Re: Your FAQ page :-) Tom Lane <[email protected]>
@ 2006-05-23 17:48     ` Josh Berkus <[email protected]>
  0 siblings, 0 replies; 7+ messages in thread

From: Josh Berkus @ 2006-05-23 17:48 UTC (permalink / raw)
  To: pgsql-www; +Cc: Tom Lane <[email protected]>

Tom,

> A quick fix is to point to devel docs instead:
> http://developer.postgresql.org/docs/postgres/release.html

Fixed, temporarily.

-- 
Josh Berkus
PostgreSQL @ Sun
San Francisco




^ permalink  raw  reply  [nested|flat] 7+ messages in thread

* Re: Your FAQ page :-)
@ 2006-05-23 17:54 Magnus Hagander <[email protected]>
  0 siblings, 0 replies; 7+ messages in thread

From: Magnus Hagander @ 2006-05-23 17:54 UTC (permalink / raw)
  To: Tom Lane <[email protected]>; Josh Berkus <[email protected]>; +Cc: pgsql-www

> BTW, I notice that http://www.postgresql.org/docs/techdocs.52
> points for "release notes" to
> http://www.postgresql.org/docs/8.1/static/release.html, which 
> is not up to date.
> 
> A quick fix is to point to devel docs instead:
> http://developer.postgresql.org/docs/postgres/release.html
> 
> Someone should update the website copies of the docs, but I 
> dunno when that will happen.

I'm loading them right now.

//Magnus




^ permalink  raw  reply  [nested|flat] 7+ messages in thread

* Re: Your FAQ page :-)
@ 2006-05-23 18:48 Magnus Hagander <[email protected]>
  0 siblings, 0 replies; 7+ messages in thread

From: Magnus Hagander @ 2006-05-23 18:48 UTC (permalink / raw)
  To: Magnus Hagander <[email protected]>; Tom Lane <[email protected]>; Josh Berkus <[email protected]>; +Cc: pgsql-www

> > BTW, I notice that http://www.postgresql.org/docs/techdocs.52
> > points for "release notes" to
> > http://www.postgresql.org/docs/8.1/static/release.html, 
> which is not 
> > up to date.
> > 
> > A quick fix is to point to devel docs instead:
> > http://developer.postgresql.org/docs/postgres/release.html
> > 
> > Someone should update the website copies of the docs, but I 
> dunno when 
> > that will happen.
> 
> I'm loading them right now.

Loaded and rebuilt, will be in next site update.

//Magnus




^ permalink  raw  reply  [nested|flat] 7+ messages in thread

end of thread, other threads:[~2006-05-23 18:48 UTC | newest]

Thread overview: 7+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2006-05-23 17:31 Re: Your FAQ page :-) Josh Berkus <[email protected]>
2006-05-23 17:33 Re: Your FAQ page :-) Magnus Hagander <[email protected]>
2006-05-23 17:41 ` Josh Berkus <[email protected]>
2006-05-23 17:46   ` Tom Lane <[email protected]>
2006-05-23 17:48     ` Josh Berkus <[email protected]>
2006-05-23 17:54 Re: Your FAQ page :-) Magnus Hagander <[email protected]>
2006-05-23 18:48 Re: Your FAQ page :-) Magnus Hagander <[email protected]>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox