From: | Network Administrator <netadmin(at)vcsn(dot)com> |
---|---|
To: | pgsql-general(at)postgresql(dot)org |
Subject: | Re: Creating functions and triggers |
Date: | 2003-05-13 14:06:36 |
Message-ID: | 1052834796.3ec0fbec17224@webmail.vcsn.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
I had a thought/question 'bout this since I was reading some stuff on triggers-
especially PL/Perl (sec. 21.4 in the 7.3 Programmer Docs). Isn't the simple
answer to this based on the fact that a PL installed as "trusted" will not allow
you to execute things that violate localization? Furthermore, if a language is
installed as "untrusted", doesn't it prevent non-admin users from using it? Or
is this only for PL/Perl?
--
Keith C. Perry
Director of Networks & Applications
VCSN, Inc.
http://vcsn.com
Quoting Dennis Gearon <gearond(at)cvc(dot)net>:
> Whatever program or client which is supplying query could just as easily run
> shell scripts. And for people who follow behind you in this design, it will
> be much less confusing and a more common side effect of the script language
> to execute a shell script, than for a database to execute a shell script.
>
> What does an AFTER trigger have to do with a shell script anyway?
>
> There's a software term called 'localization', unrelated to character sets,
> which means that code running in one place of a program or a suite of program
> in an application, should only have 'local effect'. Any other changes to take
> place because of one action in one part of a program, should be passed to the
> code nearest the target of changes.
>
> It's like talking to the payroll clerk about the lousy accounting practices
> by the accounting dept. You don't expect the payroll clerk to be married or
> sleeping with the accountant dept head and your comments to immediately have
> effects in the accounting dept, (gossip notwithstanding).
>
> scott.marlowe wrote:
> > Bzzzzzzzzt. WRONG. But thanks for playing.
> >
> > Generally speaking, createing triggers and functions to go with
> > them is a safer way of setting up access to your data than allowing Joe Q
> > Programmer full update/insert/delete access.
> >
> > Paul, Bruce Momjian's postgresql book has a nice little section on writing
>
> > triggers / functions in plpgsql and a few other languages, and there are
> > some examples throughout the docs that show you how to, although they
> > aren't all collected in one place (one example might be in the trigger
> > section, the next in the plpgsql section.)
> >
> > So, Dennis, how do I write a PHP script that does the equivalent of firing
>
> > an after trigger?
> >
> > On Wed, 7 May 2003, Dennis Gearon wrote:
> >
> >
> >>HOLY S**T!
> >>
> >><rant>
> >>You are basically setting yourself up for a MICROSOFT sized security
> >>hole. Can you say, "Seeqwell Server?"
> >>
> >>You'd be MUCH better off using a PHP, PERL, ASP, JAVA, COLD FUSION, etc.
> >>script for doing that. THOSE places are the focus for much work in
> >>preventing the misuse of system resources from an end user perspective.
> >>
> >>DATABASES are for holding data, and their relationships.
> >>
> >></rant>
> >>
> >>"Fontenot, Paul" wrote:
> >>
> >>>Is there a good, hold your hand type of tutorial or howto on creating
> >>>functions and triggers and using them together? I'm learning PostgreSQL
> >>>after spending years with MySQL and the information at
> >>>techdocs.postgresql.org - while good, is a little deep for me right now.
> >>>Specificly I would like to be able to read something that will tell me
> >>>how to create a function that will can run a shell script when certain
> >>>words are entered into a record. Thanks for your time and guidance.
> >>>
> >>> ***PRIVILEGED & CONFIDENTIAL***
> >>>Unless expressly stated otherwise, this message (and any attachment(s)
> >>>thereto) is confidential and may be privileged. It is intended for the
> >>>addressee(s) only. If you are not an addressee, any disclosure or
> >>>copying of the contents of this e-mail or any action taken (or not
> >>>taken) in reliance on it is strictly prohibited. If you are not an
> >>>addressee, please inform sender immediately and delete this message from
> >>>your system.
> >>>
> >>>---------------------------(end of broadcast)---------------------------
> >>>TIP 5: Have you checked our extensive FAQ?
> >>>
> >>>http://www.postgresql.org/docs/faqs/FAQ.html
> >>
> >>
> >>---------------------------(end of broadcast)---------------------------
> >>TIP 2: you can get off all lists at once with the unregister command
> >> (send "unregister YourEmailAddressHere" to majordomo(at)postgresql(dot)org)
> >>
> >
> >
> >
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 2: you can get off all lists at once with the unregister command
> (send "unregister YourEmailAddressHere" to majordomo(at)postgresql(dot)org)
>
____________________________________
This email account is being host by:
VCSN, Inc : http://vcsn.com
From | Date | Subject | |
---|---|---|---|
Next Message | Stephan Szabo | 2003-05-13 14:25:48 | Re: forcing a literal value in a column |
Previous Message | Didrik Pinte | 2003-05-13 13:17:05 | perfomance problem |