Re: [SECURITY] DoS attack on backend possible
Zeugswetter Andreas DCP SD <zeugswettera@spardat.at>
From: "Zeugswetter Andreas SB SD" <ZeugswetterA@spardat.at>
To: "Florian Weimer" <Weimer@CERT.Uni-Stuttgart.DE>, <pgsql-hackers@postgresql.org>
Date: 2002-08-20T16:14:39Z
Lists: pgsql-hackers
> > with Perl and *using placeholders and bind values*, the application > > developer has not to worry about this. So, usually I don't check the > > values in my applications (e.g. if only values between 1 and 5 are > > allowed and under normal circumstances only these are possible), it's the > > task of the database (check constraint). > > That's the idea. It's the job of the database to guarantee data > integrety. Yes, but what is currently missing is a protocol to the backend where a statement is prepared with placeholders and then executed (multiple times) with given values. Then there is no doubt what is a value, and what a part of the SQL. I think that this would be a wanted feature of the next protocol version. iirc the backend side part is currently beeing implemented. Andreas