Re: How to store files into the DB with PHP. (bytea ?)
| От | François Delpierre |
|---|---|
| Тема | Re: How to store files into the DB with PHP. (bytea ?) |
| Дата | |
| Msg-id | 200902031716.44453.pgsql@pivert.org обсуждение исходный текст |
| Ответ на | How to store files into the DB with PHP. (bytea ?) ("François Delpierre" <pgsql@pivert.org>) |
| Список | pgsql-php |
Hi Andrew, > I don't see that this changes things. Whether you use stored > procedures, authenticate against the database, or whatever, your web > application layer has access to the information on the way through and > any compromise of your webserver will necessarily involve having a 'man > in the middle' possibility. You're right, authenticating against the DB will not change anything, my mistake. As far as the user can read a table, he can read all records. > So an attacker would (e.g.) log the user's credentials as they pass > through and then happily generate their own tickets to use to extract > the data. Totally agree, the attacker will be able to access the files of the users that are connecting from the time he put the sniffer in place BUT NOT dump the whole content with thousands of documents from the previous months from users that did not connect recently. So, this limit the impact. To go back to the initial subject of this post, I'm now able to store/read files from the DB up to 20MB without problem. Without using stored procedures yet. (Maybe I can post the code here.) Only an annoying warning about escaping that I can't figure out yet. François.
В списке pgsql-php по дате отправления: