Hi Andrew,
> I don't see that this changes things. Whether you use stored
> procedures, authenticate against the database, or whatever, your web
> application layer has access to the information on the way through and
> any compromise of your webserver will necessarily involve having a 'man
> in the middle' possibility.
You're right, authenticating against the DB will not change anything, my
mistake. As far as the user can read a table, he can read all records.
> So an attacker would (e.g.) log the user's credentials as they pass
> through and then happily generate their own tickets to use to extract
> the data.
Totally agree, the attacker will be able to access the files of the users that
are connecting from the time he put the sniffer in place BUT NOT dump the whole
content with thousands of documents from the previous months from users that
did not connect recently. So, this limit the impact.
To go back to the initial subject of this post, I'm now able to store/read
files from the DB up to 20MB without problem. Without using stored procedures
yet. (Maybe I can post the code here.) Only an annoying warning about escaping
that I can't figure out yet.
François.
