"Greg Sabino Mullane" <greg(at)turnstep(dot)com> writes:
> I'm not sure I understand the security implications of turning plpgsql on:
> has there been some security concerns in the past? Does having access
> to plpgsql really faciliate an attacker that much above what they might
> already be capable of without it? It seems quite trivial to write a
> function in sql that ties up resources just as effectively as plpgsql.
I grow weary of repeating this: it's not about resource consumption, nor
about potential security holes in plpgsql itself. It's about handing
attackers the capability to further exploit *other* security holes.
regards, tom lane