From: | "Lars Preben S(dot) Arnesen" <l(dot)p(dot)arnesen(at)usit(dot)uio(dot)no> |
---|---|
To: | tony <tony(at)animaproductions(dot)com> |
Cc: | postgres list <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: User permissions |
Date: | 2002-03-14 13:35:25 |
Message-ID: | yfradtbs25e.fsf@lpsa.uio.no |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
[ tony ]
> In my case they are going to need the database user name and password,
> spoof the application server IP number, upload their own JSP to the
> application server... The only connection allowed to the database is
> from the application server via a well defined connection account.
But what if your JSP-script lets an evil user insert sql statements
via a form in your web application. Then the approved application on
your own server, with the right username/password send possible nasty
SQL to the database. Of course this requires security holes in the web
application layer, but hey: it is holes like that in at least half of
every dynamic web site out there. I don't think I'm any better so I
want to use security at _all_ levels, including the database.
> That is what JSP does. It is executed on the server and it is secure (as
> secure as Java gets which seems to be a little more than PHP...)
It is as secure as the programmer writes his/hers scripts.
Many script programmers forgets to quote "'" and this often enables
web users to insert sql commands in input fields in forms. If this is
sent directly to the database, guess what happens.
--
Lars Preben
From | Date | Subject | |
---|---|---|---|
Next Message | Dave | 2002-03-14 13:36:19 | JDBC Prepared Statement Bug |
Previous Message | Joseph | 2002-03-14 13:11:57 | pgmonitor |