Quick Links

Re: lastval exposes information that currval does not

From:	Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To:	Alvaro Herrera <alvherre(at)commandprompt(dot)com>
Cc:	Phil Frost <indigo(at)bitglue(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject:	Re: lastval exposes information that currval does not
Date:	2006-07-27 20:40:45
Message-ID:	5671.1154032845@sss.pgh.pa.us
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

Alvaro Herrera <alvherre(at)commandprompt(dot)com> writes:
> What we should really do is have lastval() fail if the user does not
> have appropiate permissions on the schema. Having it not fail is a bug,
> and documenting a bug turns it not into a feature, but into a "gotcha".

I'm unconvinced that it's either a bug or a gotcha. lastval doesn't
tell you which sequence it's giving you a value from, so I don't really
see the reasoning for claiming that there's a security hole. Also,
*at the time you did the nextval* you did have permissions. Does anyone
really think that a bad guy can't just remember the value he got?
lastval is merely a convenience.

regards, tom lane

In response to

Re: lastval exposes information that currval does not at 2006-07-27 17:17:28 from Alvaro Herrera

Responses

Re: lastval exposes information that currval does not at 2006-07-27 21:01:37 from Andrew Dunstan
Re: lastval exposes information that currval does not at 2006-07-28 00:49:56 from Phil Frost

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Alvaro Herrera	2006-07-27 20:45:57	Warnings in pgstattuple
Previous Message	Tom Lane	2006-07-27 20:29:53	Re: New shared memory hooks proposal (was Re: