| From: | tony <tony(at)animaproductions(dot)com> |
|---|---|
| To: | "Lars Preben S(dot) Arnesen" <l(dot)p(dot)arnesen(at)usit(dot)uio(dot)no> |
| Cc: | postgres list <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: User permissions |
| Date: | 2002-03-14 14:19:26 |
| Message-ID: | 1016115566.18797.140.camel@vaio |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Thu, 2002-03-14 at 14:35, Lars Preben S. Arnesen wrote:
> But what if your JSP-script lets an evil user insert sql statements
> via a form in your web application. Then the approved application on
> your own server, with the right username/password send possible nasty
> SQL to the database. Of course this requires security holes in the web
> application layer, but hey: it is holes like that in at least half of
> every dynamic web site out there. I don't think I'm any better so I
> want to use security at _all_ levels, including the database.
You have got me worried. How is "select * from password" submited to a
database table going to execute?
I mean in my applications I can submit datatypes to rows in a table. How
do I submit sql or java code that will execute?
I know I can try to submit code via the URL but I was under the
impression that the java security folk had cleaned that one up? As for
sql code that will ececute it is beyond me.
Please send me a working example offlist so that I can try it on my
current project.
Cheers
Tony
--
RedHat Linux on Sony Vaio C1XD/S
http://www.animaproductions.com/linux2.html
Macromedia UltraDev with PostgreSQL
http://www.animaproductions.com/ultra.html
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dean Scott | 2002-03-14 14:30:15 | Adding a Language and Creating a Function |
| Previous Message | Lars Preben S. Arnesen | 2002-03-14 13:40:12 | Re: User permissions |