Re: Protection from SQL injection

> Sure, modifying the WHERE clause is still possible, but the attacker is
> a lot more limited in what he can do if he can't tack on a whole new
> command.

	I hacked into a site like that some day to show a guy that you shouldn't 

trust magicquotes (especially when you switch hosting providers and it's  
not installed at your new provider, lol).
	Binary search on the password field by adding some stuff to the WHERE...
	You could still wipe out tables (just add a "' OR 1;--" to the id in the 

url to delete somthing...

	But it's true that preventing multi-statements adds a layer of  
idiot-proofness... a rather thin layer...

>
> The im****tant aspects of this that I see are:
>
> 1. Inexpensive to implement;
> 2. Unlikely to break most applications;
> 3. Closes off a fairly large class of injection attacks.
>
> The cost/benefit ratio looks pretty good (unlike the idea that started
> this thread...)
>
> 			regards, tom lane
>



-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@[EMAIL PROTECTED]
)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers