| From: | Florian Weimer <Weimer(at)CERT(dot)Uni-Stuttgart(dot)DE> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: [SECURITY] DoS attack on backend possible |
| Date: | 2002-08-21 12:34:46 |
| Message-ID: | 87r8gsxue1.fsf@CERT.Uni-Stuttgart.DE |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-committers pgsql-hackers |
ngpg(at)grymmjack(dot)com writes:
> if you are going to be passing any user input to the database, you
> must/should validate in some manner before blindly passing it to the db.
> The db can and should guarantee data integrity, but the database cannot
> read your mind when it comes to how you structure your queries.
[example of SQL injection attack deleted]
This is not the problem at hand. SQL injection attacks can be avoided
easily. Bugs in the conversion of strings to internal PostgreSQL
objects are a different matter, though, and usually, devastating
effects cannot be avoided by (reasonably complex) checks in the
frontend.
--
Florian Weimer Weimer(at)CERT(dot)Uni-Stuttgart(dot)DE
University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT fax +49-711-685-5898
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian - CVS | 2002-08-21 16:08:19 | pgsql-server/doc/src/sgml func.sgml |
| Previous Message | Bruce Momjian - CVS | 2002-08-21 05:25:50 | pgsql-server/doc/src/sgml func.sgml |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2002-08-21 13:46:16 | Re: @(#) Mordred Labs advisory 0x0001: Buffer overflow in |
| Previous Message | Nigel J. Andrews | 2002-08-21 09:22:24 | Re: Proposal: make "opaque" obsolete |