Re: Security Issues: Allowing Clients to Execute SQL in the Backend.

Hello World wrote:
> Denial of service is indeed a problem. Is there a way to limit the execution time of a request?

Yes, setting statement_timeout.

But if a client can exectue arbitrary statements, that could also
be statements like:

SET statement_timeout=0;
SET work_mem=1024GB;

> I'm using libpq to communicate with the server.
> 
> PS. I've just taken a look, it seems I could do some asynchronous queries, time them, then cancel them
> if they take too long.
> 
> http://www.postgresql.org/docs/8.4/static/libpq-cancel.html

That might be a way to avoid that people just reset statement_timeout.
Of course someone could start a deadly query and then kill the client
before it has a chance to cancel it...

Yours,
Laurenz Albe