FAQ
Hello, Is het possible tot REVOKE the ALTER USER command? In such a way that users cannot change their password and username? And also cannot delete themeself with DROP USER?

Now I solve the problem in PHP, to filter de SQL query string behore sending to postgresql as follows:

1. selete double, triple etc, spaces (with regular expression: ~ {2,}~)
2. upper the string (with strtoupper())
3. delete SQL commondos (with '#(ALTER USER|DROP USER)#siU'

but you can still create a pgsql function that's excute SQL commando's and maybe other ways... So this isn't a good option.

I can't make new database users. That is forbidden by my host. So i don't want to lose any users. Has someone ideas??

Greetz, Tjibbe


_________________________________________________________________
Zoek met Live Search en ervaar het verschil. Test het NU, klik hier!
http://www.live.com/?mkt=nl-nl

Search Discussions

  • Tom Lane at Jul 8, 2007 at 4:23 pm

    Tjibbe writes:
    Hello, Is het possible tot REVOKE the ALTER USER command? In such a way tha=
    t users cannot change their password and username? And also cannot delete t=
    hemeself with DROP USER?
    Ordinary users (those without superuser or createrole privilege) can't
    do any of that except change their own password ... and I don't see a
    particularly good argument for preventing them from doing that.
    Now I solve the problem in PHP, to filter de SQL query string behore sendin=
    g to postgresql as follows:
    If you're allowing untrusted sources to provide chunks of SQL to be
    executed directly, you've got problems far worse than this one.

    regards, tom lane
  • Tjibbe at Jul 8, 2007 at 7:36 pm
    But is it possible? For a demo account it can be handy. Because visitors, can change the vistor account, so the next visitor can't login. And the owner of the demo can't recover the password. The problem for me is that I only have 2 database users. So i can't afford is to lose one. Tjibbe > To: t.b.rijpma@student.tudelft.nl> CC: pgsql-novice@postgresql.org> Subject: Re: [NOVICE] REVOKE on ALTER USER, DROP USER > Date: Sun, 8 Jul 2007 12:22:58 -0400> From: tgl@sss.pgh.pa.us> > Tjibbe writes:> > Hello, Is het possible tot REVOKE the ALTER USER command? In such a way tha=> > t users cannot change their password and username? And also cannot delete t=> > hemeself with DROP USER?> > Ordinary users (those without superuser or createrole privilege) can't> do any of that except change their own password ... and I don't see a> particularly good argument for preventing them from doing that.> > > Now I solve the problem in PHP, to filter de SQL query string behore sendin=> > g to postgresql as follows:> > If you're allowing untrusted sources to provide chunks of SQL to be> executed directly, you've got problems far worse than this one.> > regards, tom lane> > ---------------------------(end of broadcast)---------------------------> TIP 4: Have you searched our list archives?> > http://archives.postgresql.org


    Jouw nieuws: wereldnieuws! Beleef 't op MSN.nl
    _________________________________________________________________
    Zoek met Live Search en ervaar het verschil. Test het NU, klik hier!
    http://www.live.com/?mkt=nl-nl
  • Tjibbe at Jul 8, 2007 at 9:24 pm
    But it is some strange that somebody can change the password without knowing the old one... So if you leave your computer alone everone can change the password. So he can login.




    From: tjibbe@hotmail.comTo: pgsql-novice@postgresql.orgSubject: Re: [NOVICE] REVOKE on ALTER USER, DROP USERDate: Sun, 8 Jul 2007 21:36:34 +0200




    But is it possible? For a demo account it can be handy. Because visitors, can change the vistor account, so the next visitor can't login. And the owner of the demo can't recover the password. The problem for me is that I only have 2 database users. So i can't afford is to lose one. Tjibbe > To: t.b.rijpma@student.tudelft.nl> CC: pgsql-novice@postgresql.org> Subject: Re: [NOVICE] REVOKE on ALTER USER, DROP USER > Date: Sun, 8 Jul 2007 12:22:58 -0400> From: tgl@sss.pgh.pa.us> > Tjibbe <tjibbe@hotmail.com> writes:> > Hello, Is het possible tot REVOKE the ALTER USER command? In such a way tha=> > t users cannot change their password and username? And also cannot delete t=> > hemeself with DROP USER?> > Ordinary users (those without superuser or createrole privilege) can't> do any of that except change their own password ... and I don't see a> particularly good argument for preventing them from doing that.> > > Now I solve the problem in PHP, to filter de SQL query string behore sendin=> > g to postgresql as follows:> > If you're allowing untrusted sources to provide chunks of SQL to be> executed directly, you've got problems far worse than this one.> > regards, tom lane> > ---------------------------(end of broadcast)---------------------------> TIP 4: Have you searched our list archives?> > http://archives.postgresql.org


    Jouw nieuws: wereldnieuws! Beleef 't op MSN.nl

    De nieuwe Hotmail: Nu 2 GB aan opslag - dat zijn maar liefst 1000 foto's - en nog steeds gratis! Windows Live Hotmail
    _________________________________________________________________
    Maak Live.nl je eigen persoonlijk startpagina met nieuws en feeds die JIJ belangrijk vindt!
    http://www.live.com/getstarted.aspx

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppgsql-novice @
categoriespostgresql
postedJul 8, '07 at 8:52a
activeJul 8, '07 at 9:24p
posts4
users2
websitepostgresql.org
irc#postgresql

2 users in discussion

Tjibbe: 3 posts Tom Lane: 1 post

People

Translate

site design / logo © 2022 Grokbase