On 2006-04-11, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> David Fetter <david@fetter.org> writes:
>> I don't get your not getting this 'cause you're a very smart guy. Are
>> you under the impression that an attacker will stop because he has to
>> try a few times?
>
> No, I'm saying that having access to a PL renders certain classes of
> attacks significantly more efficient.
Not significantly, and I'll happily back up that assertion with code
examples. (I've already posted an example brute-force search to illustrate
that.)
> A determined attacker with
> unlimited time may not care, but in the real world, security is
> relative. You don't have to make yourself an impenetrable target,
> only a harder target than the next IP address --- or at least hard
> enough that the attacker's likely to get noticed before he's succeeded.
> (And certainly, doing anything compute-intensive via recursive SQL
> functions is not the way to go unnoticed.)
Doing something compute-intensive with pl/pgsql functions will be just as
noticable.
--
Andrew, Supernews
http://www.supernews.com - individual and corporate NNTP services