On 2006-04-11, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Andrew - Supernews <andrew+nonews@supernews.com> writes:
>> On 2006-04-10, Bruce Momjian <pgman@candle.pha.pa.us> wrote:
>>>> [ security ]
>>> It actually is the reason I have heard.
>
>> And it was duly debunked.
>
> That is the reasoning, and personally I agree with it. You don't leave
> sharp objects sitting around if you have no need to have them out.
> The availability of plpgsql or other PLs makes for a significant jump
> in what a bad guy can do if he gets access to the database,
Example please.
Last time this was discussed, the claimed examples were things like
running infinite loops as a resource exhaustion attack, which is pretty
trivial to do in plain SQL functions or even in plain SQL without functions,
and running things like brute-force attacks on password hashes (which also
isn't hard using plain SQL functions).
--
Andrew, Supernews
http://www.supernews.com - individual and corporate NNTP services