Home > mailing lists

Re: lastval exposes information that currval does not - Mailing list pgsql-hackers

From	Tom Lane
Subject	Re: lastval exposes information that currval does not
Date	July 27, 2006 20:41:30
Msg-id	5671.1154032845@sss.pgh.pa.us Whole thread Raw
In response to	Re: lastval exposes information that currval does not (Alvaro Herrera <alvherre@commandprompt.com>)
Responses	Re: lastval exposes information that currval does not (Andrew Dunstan <andrew@dunslane.net>) Re: lastval exposes information that currval does not (Phil Frost <indigo@bitglue.com>)
List	pgsql-hackers

Tree view

Alvaro Herrera <alvherre@commandprompt.com> writes:
> What we should really do is have lastval() fail if the user does not
> have appropiate permissions on the schema.  Having it not fail is a bug,
> and documenting a bug turns it not into a feature, but into a "gotcha".

I'm unconvinced that it's either a bug or a gotcha.  lastval doesn't
tell you which sequence it's giving you a value from, so I don't really
see the reasoning for claiming that there's a security hole.  Also,
*at the time you did the nextval* you did have permissions.  Does anyone
really think that a bad guy can't just remember the value he got?
lastval is merely a convenience.
        regards, tom lane

pgsql-hackers by date:

From: Tom Lane
Date: 27 July 2006, 20:30:08
Subject: Re: [PATCHES] New shared memory hooks proposal (was Re:

From: Alvaro Herrera
Date: 27 July 2006, 20:46:42
Subject: Warnings in pgstattuple

Re: lastval exposes information that currval does not - Mailing list pgsql-hackers

Previous

Next