What is the best way to run an arbitrary query received from an untrusted source, safely? (I want a web page form with a textbox that a user can enter an arbitrary sql statement, then run it but I want to prevent therm from changing anything or escaping postgresql and executing system commands. I.e., it is intended to allow for searching only. I understand and accept that resource hogging queries could submitted constituting a DoS attack but I will deal with that in other ways.) I am thinking the running the query on a connection with a role that gives only select privileges might be sufficient. Is it? Any things I need to watch out for? Any other or better ways to do this? -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
