Home > mailing lists

Re: PCI:SSF - Safe SQL Query & operators filter - Mailing list pgsql-general

From	Laurenz Albe
Subject	Re: PCI:SSF - Safe SQL Query & operators filter
Date	November 8, 2022 10:03:39
Msg-id	96d54b77e1584463cc1c12e1a3ed6870063916b2.camel@cybertec.at Whole thread Raw
In response to	Re: PCI:SSF - Safe SQL Query & operators filter (Jan Bilek <jan.bilek@eftlab.com.au>)
Responses	Re: PCI:SSF - Safe SQL Query & operators filter (Jan Bilek <jan.bilek@eftlab.com.au>)
List	pgsql-general

Tree view

On Tue, 2022-11-08 at 04:14 +0000, Jan Bilek wrote:

> I know it is not exactly what you suggested (and agreeing a lot with our 
> app user shouldn't be running as superuser), but as all other inputs 
> from our application come sanitized through bind and this is the only 
> way where user can send an explicit command in there - I think it should do!
> 
> Please let me know if you approve.

I strongly disapprove, and any security audit you pass with such a setup
is worthless.  I repeat: the application does not need to connect with
a superuser.

I don't understand what you want to demonstrate with the code samples, or
what you mean when you say that "the user can send an explicit command".

Yours,
Laurenz Albe

pgsql-general by date:

From: Ashesh Vashi
Date: 08 November 2022, 07:15:55
Subject: Re: My account was locked in pgadmin4

From: Thomas Munro
Date: 08 November 2022, 10:10:23
Subject: Re: Segmentation Fault PG 14

Re: PCI:SSF - Safe SQL Query & operators filter - Mailing list pgsql-general

Previous

Next