X-Original-To: pgsql-www-postgresql.org@localhost.postgresql.org Received: from localhost (mx1.hub.org [200.46.208.251]) by postgresql.org (Postfix) with ESMTP id A22749FA634 for ; Tue, 23 May 2006 14:42:01 -0300 (ADT) Received: from postgresql.org ([200.46.204.71]) by localhost (mx1.hub.org [200.46.208.251]) (amavisd-new, port 10024) with ESMTP id 07584-06 for ; Tue, 23 May 2006 14:41:53 -0300 (ADT) X-Greylist: from auto-whitelisted by SQLgrey- Received: from davinci.ethosmedia.com (server227.ethosmedia.com [209.128.84.227]) by postgresql.org (Postfix) with ESMTP id BF55C9FA169 for ; Tue, 23 May 2006 14:41:52 -0300 (ADT) X-EthosMedia-Virus-Scanned: no infections found Received: from [63.195.55.98] (account josh@agliodbs.com HELO spooky.sf.agliodbs.com) by davinci.ethosmedia.com (CommuniGate Pro SMTP 4.1.8) with ESMTP id 9461450; Tue, 23 May 2006 10:44:58 -0700 From: Josh Berkus Organization: PostgreSQL @ Sun To: "Magnus Hagander" Subject: Re: Your FAQ page :-) Date: Tue, 23 May 2006 10:41:45 -0700 User-Agent: KMail/1.8.2 Cc: pgsql-www@postgresql.org References: <6BCB9D8A16AC4241919521715F4D8BCEA0F9AE@algol.sollentuna.se> In-Reply-To: <6BCB9D8A16AC4241919521715F4D8BCEA0F9AE@algol.sollentuna.se> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200605231041.45327.josh@agliodbs.com> X-Virus-Scanned: Maia Mailguard 1.0.1 X-Archive-Number: 200605/148 X-Sequence-Number: 10111 Magnus, > The wording I have for the bugtraq post (out in a couple of minutes) is: > * If application always sends untrusted strings as out-of-line > parameters, > =A0 instead of embedding them into SQL commands, it is not vulnerable. > This is > =A0 only available in PostgreSQL 7.4 or later. =46ixed. I love CMSes, even when they're buggy. ;-) =2D-=20 Josh Berkus PostgreSQL @ Sun San Francisco