Security Issues: Allowing Clients to Execute SQL in the Backend.

Поиск
Список
Период
Сортировка
От Hello World
Тема Security Issues: Allowing Clients to Execute SQL in the Backend.
Дата
Msg-id CAB8jeLnU1=aJdh-UYTODo8LspDm0hpCDj=ALc7V2UXxayCHCTA@mail.gmail.com
обсуждение исходный текст
Ответы Re: Security Issues: Allowing Clients to Execute SQL in the Backend.  (Albe Laurenz <laurenz.albe@wien.gv.at>)
Re: Security Issues: Allowing Clients to Execute SQL in the Backend.  (Rory Campbell-Lange <rory@campbell-lange.net>)
Re: Security Issues: Allowing Clients to Execute SQL in the Backend.  (Chris Travers <chris.travers@gmail.com>)
Список pgsql-general
Дерево обсуждения
Hello!

I'm developing a web application that needs to display data from a postgres backend.

The most convenient way for the app to get the data is by expressing the request in SQL.

I'm thinking about the following architecture

[ App/Client ] -----> query in SQL ---> [Web server] ---> same SQL query --> [PG database]

***********
I would simply use the roles/permssion system inside Postgres to determine what users
can  do and cannot do. Clients have to authenticate as one of the roles (not superusers) defined in the database.
************

Given this are there any security other issues about letting client applications execute arbitrary SQL commands on the backend database?

Thanks.

В списке pgsql-general по дате отправления:

Предыдущее
От: Sergey Konoplev
Дата:
Сообщение: Re: Vacuuming strategy
Следующее
От: Albe Laurenz
Дата:
Сообщение: Re: Security Issues: Allowing Clients to Execute SQL in the Backend.