"Marc G. Fournier" <scrappy@hub.org> writes:
> Right, but you have to get a connection to the backend in order to crash
> it ... no?
The point was that it might be possible to exploit this with only
indirect access to the database, such as entering "date" information
into a webform that would hand off the value to the database with
little or no checking. Most of the risks we've been discussing require
the ability to issue chosen SQL commands, but this one only requires
the ability to determine a data value that's used in a SQL command.
Big difference.
regards, tom lane