On 07/12/17 08:38, Robert Haas wrote:
> another protocol message. I feel like the usefulness of this for
> connection pooling software is pretty obvious: it's a lot easier for
> the pooler to disallow a certain protocol message than a certain SQL
> command.
I assume you mean easier than disallow
On Wed, Jul 12, 2017 at 07:38:56AM -0500, Robert Haas wrote:
> On Tue, May 9, 2017 at 9:43 PM, Chapman Flack wrote:
> > That's where the appident.cookie() function comes in. You just
> > query it once at session establishment and remember the cookie.
> > That allows your code to say:
> >
> > SET S
On Tue, May 9, 2017 at 9:43 PM, Chapman Flack wrote:
> That's where the appident.cookie() function comes in. You just
> query it once at session establishment and remember the cookie.
> That allows your code to say:
>
> SET SESSION ON BEHALF OF 'joe user' BECAUSE I HAVE :cookie AND I SAY SO;
>
> a
On 05/10/2017 03:56 AM, Craig Ringer wrote:
> On 10 May 2017 10:44 am, "Chapman Flack" wrote:
>> On 05/09/17 18:48, Mark Dilger wrote:
>>> SET SESSION ON BEHALF OF 'joe user'
>
> No need to do anything they custom and specific. No need for new syntax
> either.
> SET myapp.appuser = 'joe'
We see
On 10 May 2017 10:44 am, "Chapman Flack" wrote:
On 05/09/17 18:48, Mark Dilger wrote:
> I don't have any positive expectation that the postgres community will go
> along with any of this, but just from my point of view, the cleaner way to
> do what you are proposing is something like setting a s
On 05/09/17 18:48, Mark Dilger wrote:
> I don't have any positive expectation that the postgres community will go
> along with any of this, but just from my point of view, the cleaner way to
> do what you are proposing is something like setting a session variable.
>
> In your middle tier java app
> On May 9, 2017, at 3:14 PM, Chapman Flack wrote:
>
> On 05/09/2017 01:25 PM, Mark Dilger wrote:
>
>> Consensus, no, but utility, yes.
>>
>> In three tier architectures there is a general problem that the database
>> role used by the middle tier to connect to the database does not entail
>> i
On 05/09/2017 01:25 PM, Mark Dilger wrote:
> Consensus, no, but utility, yes.
>
> In three tier architectures there is a general problem that the database
> role used by the middle tier to connect to the database does not entail
> information about the user who, such as a visitor to your website,
David Fetter writes:
> On Tue, May 09, 2017 at 12:48:01PM -0400, Tom Lane wrote:
>> I don't think that's a problem: while psql will remove "--" and everything
>> following it until newline, it won't remove the newline. So there's still
>> a token boundary there.
> We may still need to be careful
On Tue, May 09, 2017 at 12:48:01PM -0400, Tom Lane wrote:
> David Fetter writes:
> > On Fri, May 05, 2017 at 02:20:26PM -0400, Robert Haas wrote:
> >> On Thu, May 4, 2017 at 10:59 AM, Chapman Flack
> >> wrote:
> >>> invalid input syntax for integer: "21' && 1=2)) Uni/**/ON
> >>> SEl/**/eCT 0x646
> On May 9, 2017, at 9:48 AM, Tom Lane wrote:
>
> David Fetter writes:
>> On Fri, May 05, 2017 at 02:20:26PM -0400, Robert Haas wrote:
>>> On Thu, May 4, 2017 at 10:59 AM, Chapman Flack
>>> wrote:
invalid input syntax for integer: "21' && 1=2)) Uni/**/ON
SEl/**/eCT 0x646665743166657
David Fetter writes:
> On Fri, May 05, 2017 at 02:20:26PM -0400, Robert Haas wrote:
>> On Thu, May 4, 2017 at 10:59 AM, Chapman Flack wrote:
>>> invalid input syntax for integer: "21' && 1=2)) Uni/**/ON
>>> SEl/**/eCT 0x646665743166657274,0x646665743266657274,
>>> 0x646665743366657274 -- "
>> No
On Fri, May 05, 2017 at 02:20:26PM -0400, Robert Haas wrote:
> On Thu, May 4, 2017 at 10:59 AM, Chapman Flack wrote:
> > invalid input syntax for integer: "21' && 1=2)) Uni/**/ON
> > SEl/**/eCT 0x646665743166657274,0x646665743266657274,
> > 0x646665743366657274 -- "
>
> Now that is choice. I won
On Thu, May 4, 2017 at 10:59 AM, Chapman Flack wrote:
> invalid input syntax for integer: "21' && 1=2)) Uni/**/ON
> SEl/**/eCT 0x646665743166657274,0x646665743266657274,
> 0x646665743366657274 -- "
Now that is choice. I wonder what specific database system that's targeting...
> I just wonder if
Hi,
At $work I am often entertained by log entries like:
invalid input syntax for integer: "21' && 1=2)) Uni/**/ON
SEl/**/eCT 0x646665743166657274,0x646665743266657274,
0x646665743366657274 -- "
They're entertaining mostly because I know our web guy has heard
of SQL injection and doesn't write s
15 matches
Mail list logo
