While I can understand your concern over security I simply do not know how you
can protect against:
On Sat, 7 Feb 2004, Alex J. Avriette wrote:
... or somebody may be passing in the
de rigeur '; select * from sensitive_table; ...' attempts (this is very
common, as you know, in CGI
On Wednesday 11 February 2004 12:46, Jim C. Nasby wrote:
On Sun, Feb 08, 2004 at 11:24:56PM -0800, Josh Berkus wrote:
The problem with this approach, of course, is that large application
developers generally like to make the database fairly passive and put
all business security logic in
On Sun, Feb 08, 2004 at 11:24:56PM -0800, Josh Berkus wrote:
The problem with this approach, of course, is that large application
developers generally like to make the database fairly passive and put all
business security logic in the middleware. I do think it would be useful
for them to
Alex,
As such, I would like to see some documentation about securing the
database at a data and application level. It would be nice to have some
general guidelines, as well as being able to cite documentation when
setting up a security policy for a database application.
I'd be happy to
On Sun, Feb 08, 2004 at 09:34:15PM -0500, Tom Lane wrote:
Is this nothing?
http://www.postgresql.org/docs/7.4/static/libpq-exec.html#LIBPQ-EXEC-ESCAPE-STRING
I don't think the docs are nearly as bereft of security-related items as
you claim. They may be scattered and poorly indexed, but
Nigel J. Andrews [EMAIL PROTECTED] writes:
On Sat, 7 Feb 2004, Alex J. Avriette wrote:
... or somebody may be passing in the
de rigeur '; select * from sensitive_table; ...' attempts (this is very
common, as you know, in CGI applications).
Actually I can and it involves changing the backend
On Sun, Feb 08, 2004 at 01:33:31PM -0500, Tom Lane wrote:
Actually I can and it involves changing the backend to not permit multiple
statements in one request. I can't imagine how that could sensibly be
implemented, if at all, though.
Actually, the extended-query message in the new FE/BE
Alex J. Avriette [EMAIL PROTECTED] writes:
On Sun, Feb 08, 2004 at 01:33:31PM -0500, Tom Lane wrote:
Actually, the extended-query message in the new FE/BE protocol works
exactly that way.
(Tom is referring to this:
http://archives.postgresql.org/pgsql-interfaces/2003-03/msg00017.php)