From: | Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com> |
---|---|
To: | William Denton <wdenton(at)gmail(dot)com>, pgsql-general(at)postgresql(dot)org |
Subject: | Re: Row data is reflected in DETAIL message when constraints fail on insert/update |
Date: | 2019-06-20 04:13:38 |
Message-ID: | b2afcfd3-a2c2-9bdc-3e62-a28392f0b8f6@aklaver.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
On 6/19/19 8:56 PM, William Denton wrote:
> When inserting up updating a row with not null constraints that are not
> satisfied, postgres reflects the values in the row in the error DETAIL.
>
> postgres=# create database test;
> CREATE DATABASE
> postgres=# \c test;
> psql (11.1 (Debian 11.1-3.pgdg90+1), server 11.2)
> You are now connected to database "test" as user "postgres".
> test=# create table person (firstname text not null, lastname text not
> null, email text not null);
> CREATE TABLE
> test=# insert into person values ('william', 'denton', null);
> ERROR: null value in column "email" violates not-null constraint
> DETAIL: Failing row contains (william, denton, null).
> test=# insert into person values ('william', 'denton',
> 'email(at)example(dot)com <mailto:email(at)example(dot)com>');
> INSERT 0 1
> test=# update person set email = null;
> ERROR: null value in column "email" violates not-null constraint
> DETAIL: Failing row contains (william, denton, null).
> test=#
>
> Is there a setting where i can disable the DETAIL field being populated
> with row data?
See:
https://www.postgresql.org/docs/11/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT
log_error_verbosity
>
> Currently sensitive data (PII in the case illustrated above) is being
> leaked by the database engine and relayed up into my application where
> is finds its way into application logs.
>
> I have also opened a github issue with Npgsql to see if its possible to
> suppress this DETAIL field in exceptions, but it seems this is an issue
> that all DB drivers/clients will face.
> https://github.com/npgsql/npgsql/issues/2501
>
> Being able to reflect out the data on a row without doing a select may
> be a security issue as well.
>
> Thank you!
--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com
From | Date | Subject | |
---|---|---|---|
Next Message | Daulat Ram | 2019-06-20 06:38:07 | How can generate alter sequence and drop constraints statements via ora2pg |
Previous Message | William Denton | 2019-06-20 03:56:16 | Row data is reflected in DETAIL message when constraints fail on insert/update |