Re: hacker help: PHP-4.2.3 patch to allow restriction of

On Thu, 26 Sep 2002, Jim Mercer wrote:

> On Fri, Sep 27, 2002 at 11:15:35AM +1000, Gavin Sherry wrote:
> > On Thu, 26 Sep 2002, Jim Mercer wrote:
> > > > I would think so, and IMHO, that's where pgsql access control
> > > > belongs, with pgsql.
> > 
> > I totally disagree. It is a language level restriction, not a database
> > level one, so why back it into Postgres? Just parse 'conninfo' when it is 
> > pg_(p)connect() and check it against the configuration setting.
> 
> which is effectively what my code does, except i was lazy, and i let the
> connection proceed, then check if PQdb() is in the auth list, and fail

Ahh yes. I meant to say this. No point being lazy when it comes to
security.

> maybe not _totally_ secure, but much moreso than nothing.
> 

I was basically just suggesting that its effect needs to be
documented. "This needs to be used in conjunction with other forms of
security...."

Gavin