Re: [SECURITY] DoS attack on backend possible

Hi Florian,

You guys *definitely* write scarey code.

:-(

Regards and best wishes,

Justin Clift

Florian Weimer wrote:
>
> Alvar Freude <alvar(at)a-blast(dot)org> writes:
>
> >> What about checking the input for backslash, quote,
> >> and double quote (\'")? If you are not taking care of those in input
> >> then crashing the backend is going to be the least of your worries.
> >
> > with Perl and *using placeholders and bind values*, the application
> > developer has not to worry about this. So, usually I don't check the
> > values in my applications (e.g. if only values between 1 and 5 are
> > allowed and under normal circumstances only these are possible), it's the
> > task of the database (check constraint).
>
> That's the idea. It's the job of the database to guarantee data
> integrety.
>
> Obviously, the PostgreSQL developers disagree. If I've got to do all
> checking in the application anyway, I can almost use MySQL
> instead. ;-)
>
> --
> Florian Weimer Weimer(at)CERT(dot)Uni-Stuttgart(dot)DE
> University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
> RUS-CERT fax +49-711-685-5898
>
> ---------------------------(end of broadcast)---------------------------
> TIP 2: you can get off all lists at once with the unregister command
> (send "unregister YourEmailAddressHere" to majordomo(at)postgresql(dot)org)

--
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi