top | item 43690202

(no title)

> People have been struggling with securing against SQL injection attacks for decades.

Parameterized queries.

A decades old struggle is now lifted from you. Go in peace, my son.

discuss

ololobus|10 months ago

> Parameterized queries.

Also happy to be wrong, but in Postges clients, parametrized queries are usually implemented via prepared statements, which do not work with DDL on the protocol level. This means that if you want to create a role or table which name is a user input, you have a bad time. At least I wasn’t able to find a way to escape DDL parameters with rust-postgres, for example.

And because this seems to be a protocol limitation, I guess the clients that do implement it, do it in some custom way on the client side.

jason-phillips|10 months ago

Just because you can, doesn't mean you should. But if you must, abstract for good time.

pjmlp|10 months ago

Just like we know how to make C safe (in theory), and many other cases in the industry.

The problem is that solutions don't exist, rather the lack of safety culture that keeps ignoring best practices unless they are imposed by regulations.

chrisweekly|10 months ago

"problem is that solutions don't exist"

you meant "problem ISN'T that solutions...", right?