Re: [SECURITY] DoS attack on backend possible
Florian Weimer <weimer@cert.uni-stuttgart.de>
From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
To: pgsql-hackers@postgresql.org
Date: 2002-08-21T12:34:46Z
Lists: pgsql-hackers
ngpg@grymmjack.com writes: > if you are going to be passing any user input to the database, you > must/should validate in some manner before blindly passing it to the db. > The db can and should guarantee data integrity, but the database cannot > read your mind when it comes to how you structure your queries. [example of SQL injection attack deleted] This is not the problem at hand. SQL injection attacks can be avoided easily. Bugs in the conversion of strings to internal PostgreSQL objects are a different matter, though, and usually, devastating effects cannot be avoided by (reasonably complex) checks in the frontend. -- Florian Weimer Weimer@CERT.Uni-Stuttgart.DE University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT fax +49-711-685-5898