Re: [SECURITY] DoS attack on backend possible

Alvar Freude <alvar@a-blast.org> writes:

>>  What about checking the input for backslash, quote, 
>> and double quote (\'")?  If you are not taking care of those in input
>> then  crashing the backend is going to be the least of your worries. 
>
> with Perl and *using placeholders and bind values*, the application
> developer has not to worry about this. So, usually I don't check the
> values in my applications (e.g. if only values between 1 and 5 are
> allowed and under normal circumstances only these are possible), it's the
> task of the database (check constraint). 

That's the idea.  It's the job of the database to guarantee data
integrety.

Obviously, the PostgreSQL developers disagree.  If I've got to do all
checking in the application anyway, I can almost use MySQL
instead. ;-)

-- 
Florian Weimer                       Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          fax +49-711-685-5898