Re: Proposed patch to disallow password=foo in database name parameter - Mailing list pgsql-patches

From Joshua D. Drake
Subject Re: Proposed patch to disallow password=foo in database name parameter
Date
Msg-id 475E0341.7080300@commandprompt.com
Whole thread Raw
In response to Re: Proposed patch to disallow password=foo in database name parameter  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-patches
Tom Lane wrote:
> "Joshua D. Drake" <jd@commandprompt.com> writes:
>> Tom Lane wrote:
>>> As of PG 8.3, libpq allows a conninfo string to be passed in via the
>>> dbName parameter of PQsetdbLogin.
>
>> I didn't even know we could do that. I always use the shell variable
>> option instead. Does anyone actually use the facility?
>
> Well, not yet, because it's new in 8.3 ...

Yeah, let's not do that. Like you said, "While we cannot absolutely
prevent client apps from doing stupid things, it seems like it might be
a good idea to prevent passwords from being passed in through dbName. "

To me... this is something that if we allow, people will use it, and we
will end up removing it, realizing it is a bad idea. There are plenty of
other ways to pass the password in a more sane way.

Sincerely,

Joshua D. Drake


>
>             regards, tom lane
>


pgsql-patches by date:

Previous
From: Stephen Frost
Date:
Subject: Re: Proposed patch to disallow password=foo in database name parameter
Next
From: Andrew Dunstan
Date:
Subject: Re: Proposed patch to disallow password=foo in database name parameter