Re: plpgsql by default
| От | Andrew - Supernews |
|---|---|
| Тема | Re: plpgsql by default |
| Дата | |
| Msg-id | slrne3oas1.2as.andrew+nonews@atlantis.supernews.net обсуждение исходный текст |
| Ответ на | Re: Remote administration contrib module (Bruce Momjian <pgman@candle.pha.pa.us>) |
| Список | pgsql-hackers |
On 2006-04-11, Tom Lane <tgl@sss.pgh.pa.us> wrote: > David Fetter <david@fetter.org> writes: >> I don't get your not getting this 'cause you're a very smart guy. Are >> you under the impression that an attacker will stop because he has to >> try a few times? > > No, I'm saying that having access to a PL renders certain classes of > attacks significantly more efficient. Not significantly, and I'll happily back up that assertion with code examples. (I've already posted an example brute-force search to illustrate that.) > A determined attacker with > unlimited time may not care, but in the real world, security is > relative. You don't have to make yourself an impenetrable target, > only a harder target than the next IP address --- or at least hard > enough that the attacker's likely to get noticed before he's succeeded. > (And certainly, doing anything compute-intensive via recursive SQL > functions is not the way to go unnoticed.) Doing something compute-intensive with pl/pgsql functions will be just as noticable. -- Andrew, Supernews http://www.supernews.com - individual and corporate NNTP services
В списке pgsql-hackers по дате отправления: