Slashdot Mirror

← Back to Stories (view on slashdot.org)

PostgreSQL 8.1.4 Released to Plug Injection Hole

Posted by ryuzaki0 on from the good-little-dutch-boy dept.

alurkar writes to tell us that PostgreSQL released version 8.1.4 today in order to combat a security flaw allowing a SQL injection attack. From the article: "The vulnerability affects PostgreSQL servers exposed to untrusted input, such as input coming from Web forms, in conjunction with multi-byte encodings like (Shift-JIS (SJIS), 8-bit Unicode Transformation Format (UTF-8), 16-bit Unicode Transformation Format (UTF-16), and BIG5. In particular, Berkus says that applications using 'ad-hoc methods to "escape" strings going into the database, such as regexes, or PHP3's addslashes() and magic_quotes' are particularly unsafe. 'Since these bypass database-specific code for safe handling of strings, many such applications will need to be re-written to become secure.'"

6 of 162 comments (clear)

  1. Plug Injection Hole by fudgefactor7 · · Score: 5, Funny

    heh, heh, heh... I'll plug your injection hole, baby!

  2. The jokes, they write themselves! by Kha+Na+Set · · Score: 4, Funny

    Must....not....make....joke....about...injection hole...being plugged...

    Damn, too late.

    =\

  3. Why is everybody still using this toy DB? by Anonymous Coward · · Score: 2, Funny

    That's why I prefer Postgre. Oh, wait...

  4. Re:Josh Berkus by SaDan · · Score: 2, Funny

    "By the way, the dangling reference to a quote by one "Berkus" should be attributed to Josh Berkus." --Russ Nelson

  5. Re:Josh Berkus by LearnToSpell · · Score: 2, Funny

    "'By the way, the dangling reference to a quote by one "Berkus" should be attributed to Josh Berkus.' --Russ Nelson" --SaDan

    --
    Haida Manga
  6. Re:Josh Berkus by poot_rootbeer · · Score: 2, Funny

    '"\'By the way, the dangling reference to a quote by one "Berkus" should be attributed to Josh Berkus.\' --Russ Nelson" --SaDan' --LearnToSpell