| From: | Richard Huxton <dev(at)archonet(dot)com> |
|---|---|
| To: | martin(dot)chantler(at)convergys(dot)com |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Re: Anyone can create tables! |
| Date: | 2001-03-13 07:46:40 |
| Message-ID: | 3AADD060.CDB802C@archonet.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
martin(dot)chantler(at)convergys(dot)com wrote:
>
> I have not been following the start of this thread but I was myself
> wondering about the security of DB access over the web
[snip]
> You could then left them do things, even enter SQL into your form but your
> servlet
> could parse it and stop them doing unwanted things.
>
> BTW Are there any security issues with this that anyone knows of???
>
There are security issues with anything, but the crucial thing is to be
strict with the parsing. Choose what to let through rather than what to
block. One trick is to pass crafted text in to value fields in forms to
force your own query to run.
Buffer overflows etc should presumably be less of a problem with Java.
- Richard Huxton
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Richard Huxton | 2001-03-13 07:50:32 | Re: varchat ->text |
| Previous Message | Lincoln Yeoh | 2001-03-13 07:31:21 | Re: Data type for storing images? |