Tom Lane wrote:
> "Joshua D. Drake" <jd@commandprompt.com> writes:
>> What does enabling plpgsql do via access that you can't just do from an
>> SQL query?
>
> SQL isn't Turing-complete --- plpgsql is. So if our would-be hacker has
> a need to do some computation incidental to his hack, he can certainly
> get it done in plpgsql, but not necessarily in plain SQL.
O.k. sure... but if the hackers wants to do something really bad it is
easy to do so in SQL... TRUNCATE, DELETE FROM, VACUUM FULL, DROP... ,
SELECT generate_series()
Sincerely,
Joshua D. Drake
--
=== The PostgreSQL Company: Command Prompt, Inc. === Sales/Support: +1.503.667.4564 || 24x7/Emergency:
+1.800.492.2240 Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/