Hello folks, Problem: I would need some help with the system I am working on. It is an information system built on PgSQL 8 and after searching all over the net I found no function I could use to determine where the request to the DB (select...) came from. I need it to prevent using fake user ID numbers. Premises: All clients connect to the server via a single DB user. The users do not know the passwords of each other, but they may know each other's ID numbers. Any action in the system is carried out via access functions implemented as stored procedures on the DB and the tables are only accessible to select data, nothing more. Possible exploit: There are 2 users, A and B. B knows A's ID, while B is logged in, he connects to the DB via psql and sends an API call identifying himself as B. The system will accept it, because the origin of the request is not known. Question: is there any way how to find out on the server where the client request came from? If there was, I could ensure that one user connects only via 1 IP address. Or is this a wrong approach? Should I better use some key located at the computer of the user only visible to him that would be sent everytime the client requests action from the server via a secure connection? Please enlighten me. Thanks in advance. Zoltan ____________________________________ Najdi svojich spoluziakov! http://www.spoluziak.sk ---------------------------(end of broadcast)--------------------------- TIP 9: the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match
