public inbox for [email protected]
help / color / mirror / Atom feedFrom: Magnus Hagander <[email protected]>
To: Josh Berkus <[email protected]>
Cc: [email protected]
Subject: Re: Your FAQ page :-)
Date: Tue, 23 May 2006 19:33:15 +0200
Message-ID: <[email protected]> (raw)
> > Applications which use parameterized prepared statement syntax
> > exclusively (e.g. "SELECT * FROM table WHERE id = ?", $var1).
> >
> >
> > Umm. AFAIK that's only true if the client library actually uses
> > paremetrised queries over the wire, which I'm quite sure
> all don't. I
> > beleive PHP doesn't, at leas tnot until the very latest
> version, for
> > example.
>
> Hmmm. Can you think of a way to re-word that without doing
> an entire paragraph?
The wording I have for the bugtraq post (out in a couple of minutes) is:
* If application always sends untrusted strings as out-of-line
parameters,
instead of embedding them into SQL commands, it is not vulnerable.
This is
only available in PostgreSQL 7.4 or later.
Based on Toms suggestion.
Though that may be a bit too technical? ;)
//Magnus
view thread (7+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: Your FAQ page :-)
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox