Re: [HACKERS] Disallowing multiple queries per PQexec()
| От | Peter Eisentraut |
|---|---|
| Тема | Re: [HACKERS] Disallowing multiple queries per PQexec() |
| Дата | |
| Msg-id | 12f11da6-52b1-3738-6431-7a67d60d5078@2ndquadrant.com обсуждение исходный текст |
| Ответ на | Re: [HACKERS] Disallowing multiple queries per PQexec() (Surafel Temesgen <surafel3000@gmail.com>) |
| Список | pgsql-hackers |
On 6/14/17 10:05, Surafel Temesgen wrote: > PGC_POSTMASTER implies that it's an instance-wide setting. > Is is intentional? I can understand that it's more secure for this > not to > be changeable in an existing session, but it's also much less usable > if you > can't set it per-database and per-user. > Maybe it should be PGC_SUSET ? > > It’s my misunderstanding I thought PGC_POSTMASTER set only by > superuser and changed with a hard restart > > I attach a patch that incorporate the comments and uses similar routines > with the rest of the file rather than using command tag After reviewing the discussion, I'm inclined to reject this patch. Several people have spoken out strongly against this patch. It's clear that this feature wouldn't actually offer any absolute protection; it just closes one particular hole. On the other hand, it introduces a maintenance and management burden. We already have libpq APIs that offer a more comprehensive protection against SQL injection, so we can encourage users to use those, instead of relying on uncertain measures such as this. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
В списке pgsql-hackers по дате отправления: