On Wed, Feb 3, 2010 at 5:57 PM, Andrew Dunstan <andrew@dunslane.net> wrote:
> marcin mank wrote:
>> A certain prominent web framework has a nasty SQL injection bug when
>> PG is configured with SCS. This bug is not present without SCS
>> (details per email for interested PG hackers). I say, hold it off.
>
> Any web framework that interpolates user supplied values into SQL rather
> than using placeholders is broken from the get go, IMNSHO. I'm not saying
> that there aren't reasons to hold up moving to SCS, but this isn't one of
> them.
That seems more than slightly harsh. I've certainly come across
situations where interpolating values (with proper quoting of course)
made more sense than using placeholders. YMMV, of course.
...Robert