Re: [GENERAL] Postgres CGI Security Problem

Shawn T. Walker <swalker@iac.net>

From: "Shawn T. Walker" <swalker@iac.net>
To: Chris Hardie <chris@summersault.com>
Cc: M.Boekhold@et.tudelft.nl, pgsql-general@postgreSQL.org
Date: 1998-08-09T03:08:34Z
Lists: pgsql-general
Chris,

	Have you considered using the Perl DBI module.  It will let
you connect to a database with a username and a password. 

Example:

#!/usr/local/bin/perl

user DBI;

# Connect To Database
$conn= DBI->connect("dbi:Pg:dbname=$dbname",$dbuser, $dbpassword) || die("connect_database: Could Not Connect To Database $dbname AS $dbuser");


I hope this helps you out.  If you need any more info then feel free
to ask.

                                                         
           Shawn T. Walker  swalker@iac.net              
              Internet Access Cincinnati                 
                  http://www.iac.net

"Running enterprise applications on NT? Let the torture begin."
          - A Sun Microsystems Inc. banner ad

Chris Hardie writes:
 > 
 > The Apache suexec solution sounds like my quickest fix yet.  
 > 
 > The solutions involving setting up a httpd server running as a user that
 > can access my particular database still leaves my users` databases open to
 > write by other users, and seems kind of messy (but effective).
 > 
 > Several folks mentioned supplying a password to the database through the
 > CGI script.  I had a hard time finding good documentation on this scheme;
 > psql apparently supports the "-u" option that prompts for a password (and
 > I assume you're prompted anyway when you have the "crypt" option set for a
 > user/database in pg_dba.conf). But if you look in the source code for
 > psql, it seems there are two methods to connect to a database, PQconnectdb
 > which does allow for username/password, and PQsetdb, which *does not*.  
 > This means that someone could theoretically write a PERL module that uses
 > the latter method to connect and bypass the password scheme.
 > 
 > In anycase, I'm using the Postgres.pm module with PERL, and it doesn't
 > seem to support the passing of a username/password pair (correct me if I'm
 > wrong) from a CGI script.  I'll attempt to code that, unless someone has
 > done it already.
 > 
 > Thanks for all your help!
 > 
 > Chris
 >