Home > mailing lists

Re: [SECURITY] DoS attack on backend possible - Mailing list pgsql-hackers

From	Florian Weimer
Subject	Re: [SECURITY] DoS attack on backend possible
Date	August 19, 2002 15:58:57
Msg-id	874rdq944r.fsf_-_@CERT.Uni-Stuttgart.DE Whole thread Raw
In response to	Re: [SECURITY] DoS attack on backend possible (was: Re: (Alvar Freude <alvar@a-blast.org>)
Responses	Re: [SECURITY] DoS attack on backend possible (Tom Lane <tgl@sss.pgh.pa.us>)
List	pgsql-hackers

Tree view

Alvar Freude <alvar@a-blast.org> writes:

>>  What about checking the input for backslash, quote, 
>> and double quote (\'")?  If you are not taking care of those in input
>> then  crashing the backend is going to be the least of your worries. 
>
> with Perl and *using placeholders and bind values*, the application
> developer has not to worry about this. So, usually I don't check the
> values in my applications (e.g. if only values between 1 and 5 are
> allowed and under normal circumstances only these are possible), it's the
> task of the database (check constraint). 

That's the idea.  It's the job of the database to guarantee data
integrety.

Obviously, the PostgreSQL developers disagree.  If I've got to do all
checking in the application anyway, I can almost use MySQL
instead. ;-)

-- 
Florian Weimer                       Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          fax +49-711-685-5898

pgsql-hackers by date:

From: Justin Clift
Date: 19 August 2002, 15:51:45
Subject: Re: @(#) Mordred Labs advisory 0x0001: Buffer overflow in

From: Justin Clift
Date: 19 August 2002, 16:07:52
Subject: Re: [SECURITY] DoS attack on backend possible

Re: [SECURITY] DoS attack on backend possible - Mailing list pgsql-hackers

Previous

Next