>>>>> "Tom" == Tom Lane <tgl@xxxxxxxxxxxxx> writes: > Thom Brown <thombrown@xxxxxxxxx> writes: >> As for having plpgsql installed by default, are there any security >> implications? Tom> Well, that's pretty much exactly the question --- are there? It Tom> would certainly make it easier for someone to exploit any other Tom> security weakness they might find. I believe plain SQL plus SQL Tom> functions is Turing-complete, but that doesn't mean it's easy or Tom> fast to write loops etc in it. Now that we have recursive CTEs, plain SQL is turing-complete without requiring functions. (Yes, I did actually prove this a while back, by implementing one of the known-Turing-complete tag system automata as a single recursive query. This proof is pretty boring, though, because you wouldn't actually _use_ that approach in practice.) Loops in plain SQL are no problem: see generate_series. The last time we discussed this I demonstrated reasonably straightforward SQL examples of how to do things like password-cracking (and that was long before we had CTEs, so it would be even easier now); my challenge to anyone to produce examples of malicious plpgsql code that couldn't be reproduced in plain SQL went unanswered. -- Andrew (irc:RhodiumToad) -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
