From: | Andrew - Supernews <andrew+nonews(at)supernews(dot)com> |
---|---|
To: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: plpgsql by default |
Date: | 2006-04-11 22:19:45 |
Message-ID: | slrne3oas1.2as.andrew+nonews@atlantis.supernews.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 2006-04-11, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> David Fetter <david(at)fetter(dot)org> writes:
>> I don't get your not getting this 'cause you're a very smart guy. Are
>> you under the impression that an attacker will stop because he has to
>> try a few times?
>
> No, I'm saying that having access to a PL renders certain classes of
> attacks significantly more efficient.
Not significantly, and I'll happily back up that assertion with code
examples. (I've already posted an example brute-force search to illustrate
that.)
> A determined attacker with
> unlimited time may not care, but in the real world, security is
> relative. You don't have to make yourself an impenetrable target,
> only a harder target than the next IP address --- or at least hard
> enough that the attacker's likely to get noticed before he's succeeded.
> (And certainly, doing anything compute-intensive via recursive SQL
> functions is not the way to go unnoticed.)
Doing something compute-intensive with pl/pgsql functions will be just as
noticable.
--
Andrew, Supernews
http://www.supernews.com - individual and corporate NNTP services
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2006-04-11 22:29:20 | Re: Suboptimal evaluation of CASE expressions |
Previous Message | Thomas Hallgren | 2006-04-11 22:17:34 | Re: plpgsql by default |