Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Subject: Re: Your FAQ page :-)
Date: Tue, 23 May 2006 19:33:15 +0200
Message-ID: <6BCB9D8A16AC4241919521715F4D8BCEA0F9AE@algol.sollentuna.se>
Thread-Topic: Your FAQ page :-)
Thread-Index: AcZ+jq7QKRjIcgjBQ4e/T+M3JnE+tgAACwZg
From: "Magnus Hagander" <mha@sollentuna.net>
To: "Josh Berkus" <josh@agliodbs.com>
Cc: <pgsql-www@postgresql.org>

> > Applications which use parameterized prepared statement syntax=20
> > exclusively (e.g. "SELECT * FROM table WHERE id =3D ?", $var1).
> >
> >
> > Umm. AFAIK that's only true if the client library actually uses=20
> > paremetrised queries over the wire, which I'm quite sure=20
> all don't. I=20
> > beleive PHP doesn't, at leas tnot until the very latest=20
> version, for=20
> > example.
>=20
> Hmmm.  Can you think of a way to re-word that without doing=20
> an entire paragraph?

The wording I have for the bugtraq post (out in a couple of minutes) is:
* If application always sends untrusted strings as out-of-line
parameters,
  instead of embedding them into SQL commands, it is not vulnerable.
This is
  only available in PostgreSQL 7.4 or later.

Based on Toms suggestion.

Though that may be a bit too technical? ;)

//Magnus