| From: | "Zeugswetter Andreas SB SD" <ZeugswetterA(at)spardat(dot)at> |
|---|---|
| To: | "Florian Weimer" <Weimer(at)CERT(dot)Uni-Stuttgart(dot)DE>, <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [SECURITY] DoS attack on backend possible |
| Date: | 2002-08-20 16:14:39 |
| Message-ID: | 46C15C39FEB2C44BA555E356FBCD6FA4961E4F@m0114.s-mxs.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> > with Perl and *using placeholders and bind values*, the application
> > developer has not to worry about this. So, usually I don't check the
> > values in my applications (e.g. if only values between 1 and 5 are
> > allowed and under normal circumstances only these are possible), it's the
> > task of the database (check constraint).
>
> That's the idea. It's the job of the database to guarantee data
> integrety.
Yes, but what is currently missing is a protocol to the backend
where a statement is prepared with placeholders and then executed
(multiple times) with given values. Then there is no doubt what is a
value, and what a part of the SQL.
I think that this would be a wanted feature of the next
protocol version. iirc the backend side part is currently beeing
implemented.
Andreas
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2002-08-20 16:15:38 | Re: @(#) Mordred Labs advisory 0x0001: Buffer overflow in |
| Previous Message | Lamar Owen | 2002-08-20 15:59:20 | Re: @(#) Mordred Labs advisory 0x0001: Buffer overflow in |