Re: [SECURITY] DoS attack on backend possible

Hi Florian,

You guys *definitely* write scarey code.

:-(

Regards and best wishes,

Justin Clift


Florian Weimer wrote:
> 
> Alvar Freude <alvar@a-blast.org> writes:
> 
> >>  What about checking the input for backslash, quote,
> >> and double quote (\'")?  If you are not taking care of those in input
> >> then  crashing the backend is going to be the least of your worries.
> >
> > with Perl and *using placeholders and bind values*, the application
> > developer has not to worry about this. So, usually I don't check the
> > values in my applications (e.g. if only values between 1 and 5 are
> > allowed and under normal circumstances only these are possible), it's the
> > task of the database (check constraint).
> 
> That's the idea.  It's the job of the database to guarantee data
> integrety.
> 
> Obviously, the PostgreSQL developers disagree.  If I've got to do all
> checking in the application anyway, I can almost use MySQL
> instead. ;-)
> 
> --
> Florian Weimer                    Weimer@CERT.Uni-Stuttgart.DE
> University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
> RUS-CERT                          fax +49-711-685-5898
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 2: you can get off all lists at once with the unregister command
>     (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)

-- 
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."  - Indira Gandhi