From: | "Shawn T(dot) Walker" <swalker(at)iac(dot)net> |
---|---|
To: | Chris Hardie <chris(at)summersault(dot)com> |
Cc: | M(dot)Boekhold(at)et(dot)tudelft(dot)nl, pgsql-general(at)postgreSQL(dot)org |
Subject: | Re: [GENERAL] Postgres CGI Security Problem |
Date: | 1998-08-09 03:08:34 |
Message-ID: | 13773.4449.470214.216974@majordomo.iac.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Chris,
Have you considered using the Perl DBI module. It will let
you connect to a database with a username and a password.
Example:
#!/usr/local/bin/perl
user DBI;
# Connect To Database
$conn= DBI->connect("dbi:Pg:dbname=$dbname",$dbuser, $dbpassword) || die("connect_database: Could Not Connect To Database $dbname AS $dbuser");
I hope this helps you out. If you need any more info then feel free
to ask.
Shawn T. Walker swalker(at)iac(dot)net
Internet Access Cincinnati
http://www.iac.net
"Running enterprise applications on NT? Let the torture begin."
- A Sun Microsystems Inc. banner ad
Chris Hardie writes:
>
> The Apache suexec solution sounds like my quickest fix yet.
>
> The solutions involving setting up a httpd server running as a user that
> can access my particular database still leaves my users` databases open to
> write by other users, and seems kind of messy (but effective).
>
> Several folks mentioned supplying a password to the database through the
> CGI script. I had a hard time finding good documentation on this scheme;
> psql apparently supports the "-u" option that prompts for a password (and
> I assume you're prompted anyway when you have the "crypt" option set for a
> user/database in pg_dba.conf). But if you look in the source code for
> psql, it seems there are two methods to connect to a database, PQconnectdb
> which does allow for username/password, and PQsetdb, which *does not*.
> This means that someone could theoretically write a PERL module that uses
> the latter method to connect and bypass the password scheme.
>
> In anycase, I'm using the Postgres.pm module with PERL, and it doesn't
> seem to support the passing of a username/password pair (correct me if I'm
> wrong) from a CGI script. I'll attempt to code that, unless someone has
> done it already.
>
> Thanks for all your help!
>
> Chris
>
From | Date | Subject | |
---|---|---|---|
Next Message | Przemyslaw Bak | 1998-08-09 07:34:04 | Core's |
Previous Message | Christopher S. Weimann | 1998-08-08 22:04:22 | Search on a large object? |