> -----Original Message-----
> From: pgsql-hackers-owner@postgresql.org [mailto:pgsql-hackers-
> owner@postgresql.org] On Behalf Of Andrew Dunstan
> Sent: Friday, February 22, 2008 9:28 AM
> To: Tom Lane
> Cc: Joshua D. Drake; Greg Sabino Mullane; pgsql-hackers@postgresql.org
> Subject: Re: [HACKERS] Including PL/PgSQL by default
>
>
>
> Tom Lane wrote:
> > Certainly you can cause massive DOS-type problems in plain SQL
without
> > any access to plpgsql, but that type of juvenile delinquency isn't
what
> > concerns me. What I'm worried about is whether plpgsql isn't a
useful
> > tool for the sort of professional who would much rather you never
knew
> > he was there. It's perhaps true that with generate_series() for
looping
> > and CASE for conditionals, plain SQL is Turing-complete and
therefore
> > could do anything, but it'd be awfully unpleasant and inefficient to
use
> > as a procedural language. The pro who doesn't want you to know he's
> > there is never going to try to do password cracking that way; the
> > resource consumption would be large enough to be noticed. plpgsql
on
> > the other hand is fast enough to be a *practical* tool for nefarious
> > purposes.
> >
> >
> >
>
> As a matter of interest, are there any other databases that have
> procedural languages that don't have them turned on by default? In
fact,
> are there any that allow you to turn them off?
>
> It certainly looks like MySQL's PL is always on, unless I'm missing
> something, and ISTR PL/SQL is always on in Oracle, although it's now
> quite some years since I touched it in anger.
>
PL/SQL is there by default and so are Java Stored Procedures. Neither
can be removed.
However, you can not create anything in Oracle without being given
permission to create it. The notion that you can create a function
because you have connect rights to the database is foreign to me.
Connect should mean connect, not connect AND create.
Include the language by default and remove CREATE on the public schema.
Jon
