Re: [SECURITY] DoS attack on backend possible
Justin Clift <justin@postgresql.org>
From: Justin Clift <justin@postgresql.org>
To: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
Cc: pgsql-hackers@postgresql.org
Date: 2002-08-19T17:07:30Z
Lists: pgsql-hackers
Hi Florian, You guys *definitely* write scarey code. :-( Regards and best wishes, Justin Clift Florian Weimer wrote: > > Alvar Freude <alvar@a-blast.org> writes: > > >> What about checking the input for backslash, quote, > >> and double quote (\'")? If you are not taking care of those in input > >> then crashing the backend is going to be the least of your worries. > > > > with Perl and *using placeholders and bind values*, the application > > developer has not to worry about this. So, usually I don't check the > > values in my applications (e.g. if only values between 1 and 5 are > > allowed and under normal circumstances only these are possible), it's the > > task of the database (check constraint). > > That's the idea. It's the job of the database to guarantee data > integrety. > > Obviously, the PostgreSQL developers disagree. If I've got to do all > checking in the application anyway, I can almost use MySQL > instead. ;-) > > -- > Florian Weimer Weimer@CERT.Uni-Stuttgart.DE > University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ > RUS-CERT fax +49-711-685-5898 > > ---------------------------(end of broadcast)--------------------------- > TIP 2: you can get off all lists at once with the unregister command > (send "unregister YourEmailAddressHere" to majordomo@postgresql.org) -- "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi