Thom Brown <thombrown@gmail.com> writes: > As for having plpgsql installed by default, are there any security > implications?
Well, that's pretty much exactly the question --- are there? It would certainly make it easier for someone to exploit any other security weakness they might find. I believe plain SQL plus SQL functions is Turing-complete, but that doesn't mean it's easy or fast to write loops etc in it.
regards, tom lane
I personally find it more important to gracefully add plpgsql if it doesn't already exist than to rely on it already being there. In a way it wouldn't solve this problem as someone could have still removed it. Other procedural languages could benefit from some sort of check too.