Re: lastval exposes information that currval does not
| От | Tom Lane |
|---|---|
| Тема | Re: lastval exposes information that currval does not |
| Дата | |
| Msg-id | 5671.1154032845@sss.pgh.pa.us обсуждение исходный текст |
| Ответ на | Re: lastval exposes information that currval does not (Alvaro Herrera <alvherre@commandprompt.com>) |
| Ответы |
Re: lastval exposes information that currval does not
Re: lastval exposes information that currval does not |
| Список | pgsql-hackers |
Alvaro Herrera <alvherre@commandprompt.com> writes:
> What we should really do is have lastval() fail if the user does not
> have appropiate permissions on the schema. Having it not fail is a bug,
> and documenting a bug turns it not into a feature, but into a "gotcha".
I'm unconvinced that it's either a bug or a gotcha. lastval doesn't
tell you which sequence it's giving you a value from, so I don't really
see the reasoning for claiming that there's a security hole. Also,
*at the time you did the nextval* you did have permissions. Does anyone
really think that a bad guy can't just remember the value he got?
lastval is merely a convenience.
regards, tom lane
В списке pgsql-hackers по дате отправления: