Home > mailing lists

Security Issues: Allowing Clients to Execute SQL in the Backend. - Mailing list pgsql-general

From	Hello World
Subject	Security Issues: Allowing Clients to Execute SQL in the Backend.
Date	April 30, 2014 10:32:23
Msg-id	CAB8jeLnU1=aJdh-UYTODo8LspDm0hpCDj=ALc7V2UXxayCHCTA@mail.gmail.com Whole thread Raw
Responses	Re: Security Issues: Allowing Clients to Execute SQL in the Backend. (Albe Laurenz <laurenz.albe@wien.gv.at>) Re: Security Issues: Allowing Clients to Execute SQL in the Backend. (Rory Campbell-Lange <rory@campbell-lange.net>) Re: Security Issues: Allowing Clients to Execute SQL in the Backend. (Chris Travers <chris.travers@gmail.com>)
List	pgsql-general

Tree view

Hello!

I'm developing a web application that needs to display data from a postgres backend.

The most convenient way for the app to get the data is by expressing the request in SQL.

I'm thinking about the following architecture

[ App/Client ] -----> query in SQL ---> [Web server] ---> same SQL query --> [PG database]

***********

I would simply use the roles/permssion system inside Postgres to determine what users
can do and cannot do. Clients have to authenticate as one of the roles (not superusers) defined in the database.
************

Given this are there any security other issues about letting client applications execute arbitrary SQL commands on the backend database?

Thanks.

pgsql-general by date:

From: Sergey Konoplev
Date: 30 April 2014, 04:48:22
Subject: Re: Vacuuming strategy

From: Albe Laurenz
Date: 30 April 2014, 10:44:18
Subject: Re: Security Issues: Allowing Clients to Execute SQL in the Backend.

Security Issues: Allowing Clients to Execute SQL in the Backend. - Mailing list pgsql-general

Previous

Next