Home > mailing lists

Re: [SECURITY] DoS attack on backend possible - Mailing list pgsql-hackers

From	Florian Weimer
Subject	Re: [SECURITY] DoS attack on backend possible
Date	August 21, 2002 11:34:44
Msg-id	87r8gsxue1.fsf@CERT.Uni-Stuttgart.DE Whole thread Raw
In response to	Re: [SECURITY] DoS attack on backend possible (ngpg@grymmjack.com)
List	pgsql-hackers

Tree view

ngpg@grymmjack.com writes:

> if you are going to be passing any user input to the database, you 
> must/should validate in some manner before blindly passing it to the db.
> The db can and should guarantee data integrity, but the database cannot 
> read your mind when it comes to how you structure your queries.

[example of SQL injection attack deleted]

This is not the problem at hand.  SQL injection attacks can be avoided
easily.  Bugs in the conversion of strings to internal PostgreSQL
objects are a different matter, though, and usually, devastating
effects cannot be avoided by (reasonably complex) checks in the
frontend.

-- 
Florian Weimer                       Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          fax +49-711-685-5898

pgsql-hackers by date:

From: "Nigel J. Andrews"
Date: 21 August 2002, 08:22:26
Subject: Re: Proposal: make "opaque" obsolete

From: Tom Lane
Date: 21 August 2002, 12:47:53
Subject: Re: @(#) Mordred Labs advisory 0x0001: Buffer overflow in

Re: [SECURITY] DoS attack on backend possible - Mailing list pgsql-hackers

Previous

Next