Re: [SECURITY] DoS attack on backend possible

ngpg@grymmjack.com writes:

> if you are going to be passing any user input to the database, you 
> must/should validate in some manner before blindly passing it to the db.
> The db can and should guarantee data integrity, but the database cannot 
> read your mind when it comes to how you structure your queries.

[example of SQL injection attack deleted]

This is not the problem at hand.  SQL injection attacks can be avoided
easily.  Bugs in the conversion of strings to internal PostgreSQL
objects are a different matter, though, and usually, devastating
effects cannot be avoided by (reasonably complex) checks in the
frontend.

-- 
Florian Weimer                       Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          fax +49-711-685-5898