Re: [GENERAL] Postgres CGI Security Problem

Chris,

Have you considered using the Perl DBI module. It will let
you connect to a database with a username and a password.

Example:

#!/usr/local/bin/perl

user DBI;

# Connect To Database
$conn= DBI->connect("dbi:Pg:dbname=$dbname",$dbuser, $dbpassword) || die("connect_database: Could Not Connect To Database $dbname AS $dbuser");

I hope this helps you out. If you need any more info then feel free
to ask.

Shawn T. Walker swalker(at)iac(dot)net
Internet Access Cincinnati
http://www.iac.net

"Running enterprise applications on NT? Let the torture begin."
- A Sun Microsystems Inc. banner ad

Chris Hardie writes:
>
> The Apache suexec solution sounds like my quickest fix yet.
>
> The solutions involving setting up a httpd server running as a user that
> can access my particular database still leaves my users` databases open to
> write by other users, and seems kind of messy (but effective).
>
> Several folks mentioned supplying a password to the database through the
> CGI script. I had a hard time finding good documentation on this scheme;
> psql apparently supports the "-u" option that prompts for a password (and
> I assume you're prompted anyway when you have the "crypt" option set for a
> user/database in pg_dba.conf). But if you look in the source code for
> psql, it seems there are two methods to connect to a database, PQconnectdb
> which does allow for username/password, and PQsetdb, which *does not*.
> This means that someone could theoretically write a PERL module that uses
> the latter method to connect and bypass the password scheme.
>
> In anycase, I'm using the Postgres.pm module with PERL, and it doesn't
> seem to support the passing of a username/password pair (correct me if I'm
> wrong) from a CGI script. I'll attempt to code that, unless someone has
> done it already.
>
> Thanks for all your help!
>
> Chris
>