On Wednesday 11 February 2004 12:46, Jim C. Nasby wrote:
> On Sun, Feb 08, 2004 at 11:24:56PM -0800, Josh Berkus wrote:
> > The problem with this approach, of course, is that large application
> > developers generally like to make the database fairly "passive" and put
> > all business & security logic in the middleware. I do think it would be
> > useful for them to realize that they are sacrificing a significant
> > portion of their data security by doing so.
>
> Perhaps what would be best is some kind of a 'best practices' guide.
> There's far more that people should consider beyond just quoting
> strings; Josh's example is just one thing.
>
> If written carefully, such a guide could serve both experienced DBAs as
> well as people who are very new to databases, since every database has
> it's own prefered way of doing things.
Was thinking if somene want to write up a series of articles discussing
security best practices, this might be a good starting point since it would
require somone to have everything figured out before getting started; you
could pick a certain section and get specific about it. We have the
infrastructure on techdocs to publish this, and once started we could use it
to determine what should or should not be added to the standard docs.
Robert Treat
--
Build A Brighter Lamp :: Linux Apache {middleware} PostgreSQL