Re: [GENERAL] Postgres CGI Security Problem

Chris,

    Have you considered using the Perl DBI module.  It will let
you connect to a database with a username and a password.

Example:

#!/usr/local/bin/perl

user DBI;

# Connect To Database
$conn= DBI->connect("dbi:Pg:dbname=$dbname",$dbuser, $dbpassword) || die("connect_database: Could Not Connect To
Database$dbname AS $dbuser"); 


I hope this helps you out.  If you need any more info then feel free
to ask.


           Shawn T. Walker  swalker@iac.net
              Internet Access Cincinnati
                  http://www.iac.net

"Running enterprise applications on NT? Let the torture begin."
          - A Sun Microsystems Inc. banner ad

Chris Hardie writes:
 >
 > The Apache suexec solution sounds like my quickest fix yet.
 >
 > The solutions involving setting up a httpd server running as a user that
 > can access my particular database still leaves my users` databases open to
 > write by other users, and seems kind of messy (but effective).
 >
 > Several folks mentioned supplying a password to the database through the
 > CGI script.  I had a hard time finding good documentation on this scheme;
 > psql apparently supports the "-u" option that prompts for a password (and
 > I assume you're prompted anyway when you have the "crypt" option set for a
 > user/database in pg_dba.conf). But if you look in the source code for
 > psql, it seems there are two methods to connect to a database, PQconnectdb
 > which does allow for username/password, and PQsetdb, which *does not*.
 > This means that someone could theoretically write a PERL module that uses
 > the latter method to connect and bypass the password scheme.
 >
 > In anycase, I'm using the Postgres.pm module with PERL, and it doesn't
 > seem to support the passing of a username/password pair (correct me if I'm
 > wrong) from a CGI script.  I'll attempt to code that, unless someone has
 > done it already.
 >
 > Thanks for all your help!
 >
 > Chris
 >