It's unfortunate that the wording of the email subject (and the current HN submission title) can make it sound like the problem is with PostgreSQL, when it's really a problem with Active Record's adapter for PostgreSQL.
PostgreSQL itself isn't responsible or affected, contrary to what the "Vulnerabilities Affecting PostgreSQL" phrasing suggests at a glance.
(I get only critical stuff as pushes, and get notified even in the rare case that the rails security email goes to spam as it happened once previously).
You should be able to see if you are vulnerable by running this query:
select
cn.nspname as schema,
relname as table,
attname as column,
tn.nspname as type_schema,
typname as type_name
from pg_attribute a
inner join pg_class c on a.attrelid = c.oid
inner join pg_namespace cn on c.relnamespace = cn.oid
inner join pg_type t on a.atttypid = t.oid
inner join pg_namespace tn on t.typnamespace = tn.oid
where (t.typtype = 'r' or t.typname = 'bit' or t.typname = 'varbit');
All ORMs build at least some of their SQL using string concatenation.
Prepared statements with bind variables only work when the SQL string is static and only the variables change - but ORMS are used to construct full SQL statements with custom select / while / join clauses etc.
Yes, all ORM's build their SQL using string concatenation, BUT the good ORM's won't use string concatenation on user data, instead they will use bind parameters.
This way the query sent to the server looks like this:
SELECT * FROM whatever WHERE email = :1 AND user_name = :2;
And then the parameters are passed to the database server separately to bind to the above placeholders.
This way the database server knows what is user provided data and what is part of the SQL, and no special quoting is required since the database server handles that internally. It's much safer in that SQL injection becomes impossible at that point.
No, you just have to use some intelligence in tracking your bind variables and bind values together instead of blindly bashing strings together, then at some distant location in the code guess & hope about the number of bind values used. I've got code that does it just fine.
No you can definitely use prepared statements with bind variables since you can dynamically name the bind variables. So if you have a statement where you don't know how many bind variables will go into the query you can give the bind variable a name and add a number at the end that you increment for each additional bind variable (e.g. @param + i for @param1, @param2, @param3, etc.).
Depending on how complex your query is it can get to be a bit of work but it's doable.
PostgreSQL itself isn't responsible or affected, contrary to what the "Vulnerabilities Affecting PostgreSQL" phrasing suggests at a glance.