Re: text field constraint advice

Generaly network security suggests that your database server should
not allow connections from external addresses (including for services
like ssh as well as pgsql). iptables can help acheive this if your
servers are all on public IPs (also not a very good idea), otherwise
the best place to configure this is at your firewall/router.

Alex Turner
NetEconomist

On Wed, 26 Jan 2005 08:16:19 -0500, Frank D. Engel, Jr.
<fde101(at)fjrhome(dot)net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Well, that's all fine as long as the hacker does not connect directly
> to the database server when attempting his attack. Check it in the app
> yes, but if this is really a genuine concern, it should be reinforced
> by the server as an added precaution.
>
> On Jan 26, 2005, at 3:01 AM, Jeff Davis wrote:
>
> > In fact, I may go so far as to say that it's the application's
> > responsibility to verify the length (at the same time that it's
> > escaping
> > the SQL special chars). The reason for that is because the database
> > wouldn't be corrupt or invalid in any way if the text field contained
> > (for example) 161 chars. So, it should really be more a matter of
> > security against DoS attacks, which is the domain of the application.
> > Also the application is the only one that knows what to do in case the
> > string is too long, so why bother sending it to the database to see if
> > it is too long?
> - -----------------------------------------------------------
> Frank D. Engel, Jr. <fde101(at)fjrhome(dot)net>
>
> $ ln -s /usr/share/kjvbible /usr/manual
> $ true | cat /usr/manual | grep "John 3:16"
> John 3:16 For God so loved the world, that he gave his only begotten
> Son, that whosoever believeth in him should not perish, but have
> everlasting life.
> $
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (Darwin)
>
> iD8DBQFB95gk7aqtWrR9cZoRAvk0AJwPM0obldPGktkjJWkBC11iMrPtTQCgiQfa
> WbG/Bdj+yG9DSaTbSvRUlT0=
> =c4+z
> -----END PGP SIGNATURE-----
>
> ___________________________________________________________
> $0 Web Hosting with up to 120MB web space, 1000 MB Transfer
> 10 Personalized POP and Web E-mail Accounts, and much more.
> Signup at www.doteasy.com
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 1: subscribe and unsubscribe commands go to majordomo(at)postgresql(dot)org
>