| From: | Hello World <worldanizer(at)gmail(dot)com> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Security Issues: Allowing Clients to Execute SQL in the Backend. |
| Date: | 2014-04-30 07:32:15 |
| Message-ID: | CAB8jeLnU1=aJdh-UYTODo8LspDm0hpCDj=ALc7V2UXxayCHCTA@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Hello!
I'm developing a web application that needs to display data from a postgres
backend.
The most convenient way for the app to get the data is by expressing the
request in SQL.
I'm thinking about the following architecture
[ App/Client ] -----> query in SQL ---> [Web server] ---> same SQL query
--> [PG database]
***********
I would simply use the roles/permssion system inside Postgres to determine
what users
can do and cannot do. Clients have to authenticate as one of the roles
(not superusers) defined in the database.
************
Given this are there any security other issues about letting client
applications execute arbitrary SQL commands on the backend database?
Thanks.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Albe Laurenz | 2014-04-30 07:44:08 | Re: Security Issues: Allowing Clients to Execute SQL in the Backend. |
| Previous Message | Sergey Konoplev | 2014-04-30 01:47:54 | Re: Vacuuming strategy |