| From: | David Kerr <dmk(at)mr-paradox(dot)net> |
|---|---|
| To: | John R Pierce <pierce(at)hogranch(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: PostgreSQL + Hibernate, Apache Mod Security, SQL Injection and you (a love story) |
| Date: | 2010-02-08 16:24:21 |
| Message-ID: | 20100208162421.GB73377@mr-paradox.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Fri, Feb 05, 2010 at 12:09:57PM -0800, John R Pierce wrote:
- that would be a function of how you use Postgresql. if you do the
- typical PHP hacker style of building statements with inline values then
- executing them, you're vunerable unless you totally sanitize all your
- inputs. see http://xkcd.com/327/
Right, so when dealing with a high security environment you want to assume
someone made a mistake and left you vunerable in this area.
- >Does anyone have experience here? One of our security people found a
- >generic mod_security config file that had a couple of postgres entries
- >in it. Is there a full Postgres config for mod_security that the
- >community recommends?
- >
- >Can anyone give me a good pros or cons of using mod_security when you
- >have Postgres + Hibernate?
- >
-
- isn't mod_security purely for Apache httpd applications? if you're not
- using apache httpd, it seems like there's no point in using mod_security.
We'll have httpd handing off to Geronimo. From what i can gather mod_security
will balk at any url that contains one of it's keywords.
Dave
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David Kerr | 2010-02-08 16:25:43 | Re: PostgreSQL + Hibernate, Apache Mod Security, SQL Injection and you (a love story) |
| Previous Message | Tom Lane | 2010-02-08 16:19:10 | Re: Re: [GENERAL] FM format modifier does not remove leading zero from year |