Re: Is it possible to do some damage to database with SELECT query?

From: Bill Moran <wmoran(at)collaborativefusion(dot)com>
To: "Teemu Juntunen" <teemu(dot)juntunen(at)e-ngine(dot)fi>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: Is it possible to do some damage to database with SELECT query?
Date: 2008-07-22 11:58:21
Message-ID: 20080722075821.f0980716.wmoran@collaborativefusion.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

In response to "Teemu Juntunen" <teemu(dot)juntunen(at)e-ngine(dot)fi>:

> Hi,
>
> is it possible to make a SELECT query with some nasty follow up commands,
> which damages the database.
>
> Something like:
>
> SELECT *,(DROP DATABASE enterprise) AS roger FROM sales WHERE sales >
> (UPDATE order SET order=1);
>
> I know this wont work, but is there some possibility to modify database with
> SELECT query?
>
> I'm developing an ERP where I would like to implement a statistical program
> where you can write your own SELECT queries.

Yes, it's easy to do with stored procedures. i.e.:
SELECT drop_table('important_table') FROM some_other_table;

This is managed with database permissions. Ensure that the user your
dynamic query engine is connecting as does not have permissions to
drop tables, or even delete rows from the tables (see the GRANT docs).
By doing so, you ensure that even if someone can create a dangerous
procedure and execute it via query, that they can't do any damage.

--
Bill Moran
Collaborative Fusion Inc.
http://people.collaborativefusion.com/~wmoran/

wmoran(at)collaborativefusion(dot)com
Phone: 412-422-3463x4023

In response to

Browse pgsql-general by date

  From Date Subject
Next Message el dorado 2008-07-22 12:55:27 Postgres 8.3.3 & MSVC2005 (full edition)
Previous Message Bohdan Linda 2008-07-22 11:04:51 Re: ER diagram software