Re: [SECURITY] DoS attack on backend possible

Florian Weimer <weimer@cert.uni-stuttgart.de>

From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
To: pgsql-hackers@postgresql.org
Date: 2002-08-21T12:34:46Z
Lists: pgsql-hackers
ngpg@grymmjack.com writes:

> if you are going to be passing any user input to the database, you 
> must/should validate in some manner before blindly passing it to the db.
> The db can and should guarantee data integrity, but the database cannot 
> read your mind when it comes to how you structure your queries.

[example of SQL injection attack deleted]

This is not the problem at hand.  SQL injection attacks can be avoided
easily.  Bugs in the conversion of strings to internal PostgreSQL
objects are a different matter, though, and usually, devastating
effects cannot be avoided by (reasonably complex) checks in the
frontend.

-- 
Florian Weimer 	                  Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          fax +49-711-685-5898