Lincoln Yeoh <lyeoh@pop.jaring.my> writes:
> I doubt that I would ever recommend opening any RDBMS to the world.
Indeed. If filling your disk is the only form of denial-of-service
that an attacker can think of, then he's sadly lacking in creativity.
Bottom line for me is that if you're concerned about security then you
should NOT be allowing random people to issue SQL commands directly,
and so this issue isn't nearly as important as Dan makes it.
A more secure arrangement would be (for example) to provide access via
a website backed by CGI or PHP scripts, so that the only possible SQL
commands are those you've put into the scripts.
regards, tom lane