But it is some strange that somebody can change the password without knowing the old one... So if you leave your computer alone everone can change the password. So he can login.
From: To: Subject: Re: [NOVICE] REVOKE on ALTER USER, DROP USER Date: Sun, 8 Jul 2007 21:36:34 +0200
But is it possible?
For a demo account it can be handy. Because visitors, can change the vistor account, so the next visitor can't login. And the owner of the demo can't recover the password.
The problem for me is that I only have 2 database users. So i can't afford is to lose one.
> To: > CC: > Subject: Re: [NOVICE] REVOKE on ALTER USER, DROP USER > Date: Sun, 8 Jul 2007 12:22:58 -0400 > From: > > Tjibbe <> writes: > > Hello, Is het possible tot REVOKE the ALTER USER command? In such a way tha= > > t users cannot change their password and username? And also cannot delete t= > > hemeself with DROP USER? > > Ordinary users (those without superuser or createrole privilege) can't > do any of that except change their own password ... and I don't see a > particularly good argument for preventing them from doing that. > > > Now I solve the problem in PHP, to filter de SQL query string behore sendin= > > g to postgresql as follows: > > If you're allowing untrusted sources to provide chunks of SQL to be > executed directly, you've got problems far worse than this one. > > regards, tom lane > > ---------------------------(end of broadcast)--------------------------- > TIP 4: Have you searched our list archives? > > http://archives.postgresql.org