Posted by lawrence k on 04/15/06 02:43

Good Man wrote:
> "lawrence k" <lkrubner@geocities.com> wrote in
> news:1144909681.379717.249460@t31g2000cwb.googlegroups.com:
>
>
> > The function that returns this checks to query to see if it contains
> > the words ALTER, DROP, EMPTY, GRANT, UPDATE, INSERT, and a bunch of
> > others. It calls die() if it sees any of those words.
> >
> > For obvious reasons, I'm trepidatious about exposing the database to
> > this degree. What are some of the obvious, and not so obvious, attacks
> > that I shoudl expect and defend against?
>
> a question i have as an outsider is, why are you doing this in the first
> place?

So that outsiders can get the information in formats that I'd never
dream of. If I write every query myself, it forecloses the thing I want
most, which is people doing stuff with the contents of Accumulist that
I myself would never think of.

I've a long term goal of writing the whole database out every hour as a
giant RDF file, with all the relationships made explicit, and that
might allow the amount of spontaneous invention by outsiders that I'm
hoping for. But till then, I'm looking for an easier way to enable
this.

The simplest thing is for me to allow others to write their own SQL and
then for outsiders to pass in text files describing how they want the
output formatted.

If I can't make this secure, then I'll just write everything out as a
simple, huge XML file and let people use that.

• Next in forum: Re: if I allow anyone on the web to run SQL queries against my database, what are the obvious attacks hackers will try?
• Prev in forum: Re: Weekend thought provoker - nonclean overlapping recursion
• Thread view: Re: if I allow anyone on the web to run SQL queries against my database, what are the obvious attacks hackers will try?

[Reply to this message]