Re: RFC: Security documentation

"Alex J. Avriette" <alex(at)posixnap(dot)net> writes:
> On Sun, Feb 08, 2004 at 01:33:31PM -0500, Tom Lane wrote:
>> Actually, the extended-query message in the new FE/BE protocol works
>> exactly that way.

> (Tom is referring to this:
> http://archives.postgresql.org/pgsql-interfaces/2003-03/msg00017.php)

That's not a particularly helpful link, since it predates the whole
concept of the extended query protocol. See
http://www.postgresql.org/docs/7.4/static/protocol.html#PROTOCOL-QUERY-CONCEPTS
http://www.postgresql.org/docs/7.4/static/protocol-flow.html#AEN52626
particularly the NOTE in the latter section.

> How would you suggest implementing this? Having a "no subqueries" setting?

The app programmer could choose to use only extended queries and not
simple Query messages. (If using libpq, this means only PQexecParams
and never PQexec.)

> I agree with this as well. In my original message, I complained that there
> was no documentation at all. Since we offer documentation on how to code
> in plpgsql, pltcl, plperl, etc., it might be nice to include something.
> Even if it were something brief, such as suggesting escaped quotes and
> other suspicious characters, it would be better than the nothing that is
> there presently.

Is this "nothing"?
http://www.postgresql.org/docs/7.4/static/libpq-exec.html#LIBPQ-EXEC-ESCAPE-STRING

I don't think the docs are nearly as bereft of security-related items as
you claim. They may be scattered and poorly indexed, but they're there.

regards, tom lane