| From: | Douglas McNaught <doug(at)mcnaught(dot)org> |
|---|---|
| To: | "Scott Marlowe" <scott(dot)marlowe(at)gmail(dot)com> |
| Cc: | fasupport(at)allcoast(dot)net, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Securing stored procedures and triggers |
| Date: | 2007-10-31 19:50:10 |
| Message-ID: | 873avrqd1p.fsf@suzuka.mcnaught.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
"Scott Marlowe" <scott(dot)marlowe(at)gmail(dot)com> writes:
> On 10/31/07, Douglas McNaught <doug(at)mcnaught(dot)org> wrote:
>
>> The only bulletproof way to do this currently is to write all your
>> stored functions in C and load them as a shared library.
>
> Well, as I pointed out in my post, even that's not bullet-proof. As
> long as decompilers / debuggers etc... exist, then compiling is just a
> small barrier to a good hacker. The only way to win is not to play,
> i.e. keep the code in house.
Very true, I should have said "semi-bulletproof". :)
In addition, the "interesting" parts of a C function would be the SPI
queries, which unless further obfuscated would be easily extractable
from the library using strings(1).
-Doug
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ian Goldsmid | 2007-10-31 19:56:39 | can someone please tell me how to unsubscribe from this group - thanks |
| Previous Message | Ron St-Pierre | 2007-10-31 19:22:42 | Re: getting list of tables from command line |