| From: | Florian Weimer <Weimer(at)CERT(dot)Uni-Stuttgart(dot)DE> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: [SECURITY] DoS attack on backend possible |
| Date: | 2002-08-19 16:59:00 |
| Message-ID: | 874rdq944r.fsf_-_@CERT.Uni-Stuttgart.DE |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-committers pgsql-hackers |
Alvar Freude <alvar(at)a-blast(dot)org> writes:
>> What about checking the input for backslash, quote,
>> and double quote (\'")? If you are not taking care of those in input
>> then crashing the backend is going to be the least of your worries.
>
> with Perl and *using placeholders and bind values*, the application
> developer has not to worry about this. So, usually I don't check the
> values in my applications (e.g. if only values between 1 and 5 are
> allowed and under normal circumstances only these are possible), it's the
> task of the database (check constraint).
That's the idea. It's the job of the database to guarantee data
integrety.
Obviously, the PostgreSQL developers disagree. If I've got to do all
checking in the application anyway, I can almost use MySQL
instead. ;-)
--
Florian Weimer Weimer(at)CERT(dot)Uni-Stuttgart(dot)DE
University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT fax +49-711-685-5898
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Justin Clift | 2002-08-19 17:07:30 | Re: [SECURITY] DoS attack on backend possible |
| Previous Message | Thomas Lockhart | 2002-08-19 16:24:21 | Re: [COMMITTERS] pgsql-server/src backend/tcop/postgres.cbacke |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Justin Clift | 2002-08-19 17:07:30 | Re: [SECURITY] DoS attack on backend possible |
| Previous Message | Justin Clift | 2002-08-19 16:51:30 | Re: @(#) Mordred Labs advisory 0x0001: Buffer overflow in |