On Wed, Jun 24, 2009 at 9:52 AM, Tom Lane<tgl@sss.pgh.pa.us> wrote:
> "Albe Laurenz" <laurenz.albe@wien.gv.at> writes:
>> Robert Haas wrote:
>>> I don't think this is true. You can use SET SESSION AUTHORIZATION,
>>> right?
>
>> You are right, I overlooked that.
>> It is restricted to superusers though.
>
> That sort of thing is only workable if you have trustworthy client code
> that controls what queries the users can issue. If someone can send raw
> SQL commands then he just needs to do RESET SESSION AUTHORIZATION to
> become superuser.
Good point, although since the OP said it was a webapp, they probably
have control over that.
...Robert
