| From: | Richard Huxton <dev(at)archonet(dot)com> |
|---|---|
| To: | "Denis" <sqllist(at)coralindia(dot)com>, <pgsql-sql(at)postgresql(dot)org> |
| Subject: | Re: how to preserve \n in select statement |
| Date: | 2003-12-22 10:48:20 |
| Message-ID: | 200312221048.20783.dev@archonet.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-sql |
On Monday 22 December 2003 09:37, Denis wrote:
> Hi Richard..
>
> If your users are required to fire only SELECT and no DML, you can do the
> following:
>
> BEGIN;
> execute the statements given by user
> ROLLBACK;
>
> This will not affect your SELECT and also if any malicious user gives
> DELETE statement, that will not have any impact too..
An interesting idea, though you'd need to be careful with side-effects
(triggers/functions etc). I seem to recall a "read-only" setting being
discussed for transactions too (though not as a security measure, I should
emphasise).
The other thing is to use the database user/group mechanism - something which
tends to be neglected with web-based apps (partly because different DBs have
different setups here).
If only an application super-user can add/delete users make sure the
permissions reflect this and connect as a more restricted user for other
logins.
--
Richard Huxton
Archonet Ltd
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Fuhr | 2003-12-22 10:53:53 | Re: Get x from point? |
| Previous Message | sundaresan raman | 2003-12-22 10:30:43 |