Skip site navigation (1) Skip section navigation (2)

Re: How to store files into the DB with PHP. (bytea ?)

From: François Delpierre <pgsql(at)pivert(dot)org>
To: pgsql-php(at)postgresql(dot)org
Subject: Re: How to store files into the DB with PHP. (bytea ?)
Date: 2009-02-03 16:16:44
Message-ID: 200902031716.44453.pgsql@pivert.org (view raw or flat)
Thread:
Lists: pgsql-php
Hi Andrew,

> I don't see that this changes things.  Whether you use stored
> procedures, authenticate against the database, or whatever, your web
> application layer has access to the information on the way through and
> any compromise of your webserver will necessarily involve having a 'man
> in the middle' possibility.
You're right, authenticating against the DB will not change anything, my 
mistake. As far as the user can read a table, he can read all records.


> So an attacker would (e.g.) log the user's credentials as they pass
> through and then happily generate their own tickets to use to extract
> the data.
Totally agree, the attacker will be able to access the files of the users that 
are connecting from the time he put the sniffer in place BUT NOT dump the whole 
content with thousands of documents from the previous months from users that 
did not connect recently. So, this limit the impact.

To go back to the initial subject of this post, I'm now able to store/read 
files from the DB up to 20MB without problem. Without using stored procedures 
yet. (Maybe I can post the code here.) Only an annoying warning about escaping 
that I can't figure out yet.

François.


pgsql-php by date

Next:From: roche magsayoDate: 2009-02-18 14:41:13
Subject: pl/php for windows
Previous:From: Andrew McMillanDate: 2009-02-02 21:08:00
Subject: Re: How to store files into the DB with PHP. (bytea ?)

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group