Re: Is this a bug, possible security hole, or wrong assumption?

From: "Sander Steffann" <sander(at)steffann(dot)nl>
To: "Mike Mascari" <mascarm(at)mascari(dot)com>, "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: <pgsql-general(at)postgresql(dot)org>
Subject: Re: Is this a bug, possible security hole, or wrong assumption?
Date: 2002-06-09 09:19:30
Message-ID: 001601c20f96$c2f655f0$64c8a8c0@balefire10ww
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Hi,

> Mike Mascari <mascarm(at)mascari(dot)com> writes:
> > What appears to me is that the rewriter is just tacking the IS NULL test
> > onto the parsed query. As a result, a function is called with data from
> > a view before the evaluation of IS NULL removes those rows from the
> > selection process. Is that right? If so, is that a security problem?
>
> You're essentially asking for a guarantee about the order of evaluation
> of WHERE clauses. There is no such guarantee, and won't be because it
> would be a crippling blow to performance.

But he is right in that his trick works. This proves that views can not be
safely used for security, which is an important thing to realise...

Sander.

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Tom Lane 2002-06-09 15:18:39 Re: Is this a bug, possible security hole, or wrong assumption?
Previous Message Alan 2002-06-09 06:26:35 Help with data transfer please