Re: pl/pgsql enabled by default
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Neil Conway <neilc@samurai.com>
Cc: Simon Riggs <simon@2ndquadrant.com>, Andrew Sullivan <ajs@crankycanuck.ca>, pgsql-hackers@postgresql.org
Date: 2005-05-07T15:38:40Z
Lists: pgsql-hackers
Neil Conway <neilc@samurai.com> writes: > Users can already define SQL functions by default, which certainly > provides "programmable features". I'm not quite sure what you mean by > "user exits." > I guess I'm missing how pl/pgsql is a fundamentally greater security risk. plpgsql has control structures (loops, IF); SQL functions don't. That makes for a fundamental difference in the power of the programming language ... at least according to CS theory as I was taught it. Now admittedly the "primitive statements" of SQL are a lot more powerful than the primitive statements usually considered in programming language theory, but I think there is still a pretty significant difference in capability. An example of why this could be interesting from a security standpoint is that, given access to pg_shadow, it'd be pretty trivial to write a plpgsql function that tries to break user passwords by brute force (just generate possible passwords, hash them, and look for a match). I don't see any way to do that in plain SQL, at least not without a pre-existing SRF to generate the trial passwords for you. regards, tom lane