Search Postgresql Archives

Re: HIPPA (was Re: Anyone know ...)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Karsten Hilbert wrote: 
If the user figures out our URL scheme, they might try something like 
"?gp_page=patients" and say "Wow I'm clever I'm going to look at the 
patients table", except that the public user has no privilege on the 
table.  The db server will throw a permission denied error.
    

My interest was more towards the "we get an email" part.
What level do you send that from ? A trigger ?

The web framework does that.  The web framework decodes the HTTP request and executes any SQL it thinks the user wants.  If there is a permissions error then it sends an email to the administrator.

The underlying idea is that the GET/POST parameters are pretty standard and easy to decode and convert into SQL commands.  For instance, by default we assume a page = a table, and lacking any code that overrides that assumption, a request for a page becomes a search request in the table of the same name.  This is the first thing a cracker would depend upon if he were trying to pry.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux