Highest Voted 'postgresql' Questions - IT Security Stack Exchange

70

votes

3 answers

Is this a SQL injection attack or is it some sort of bug?

I was looking through some data in our database when I came across a bunch of weird user_id entries: user_id -1080) ORDER BY 1# -1149 UNION ALL SELECT 79,79,79,79,79,79,79,79,79# -1359' UNION ALL SELECT 79,79,79,79,79,79,79,79,79,79-- JwSh -1409'…

sql-injection postgresql

asked Sep 29 '17 at 09:54

turnip

785
1
6
9

25

votes

4 answers

Is Postgres password-based authentication secure?

According to Postgres's documentation, Postgres's password authentication method uses MD5 hashing to secure the password: The password-based authentication methods are md5 and password. These methods operate similarly except for the way that the…

tls databases md5 postgresql

asked Aug 22 '13 at 17:14

Ajedi32

4,637
2
26
60

25

votes

6 answers

Is a sha256 hash of a unix timestamp a strong password

I am setting up a postgres db that will never be used by humans. In fact, I really don't need to know it myself ever. I assumed that just using a 256bit(64 alphanumeric chars) hash of a unix timestamp IE: date +%s%3N | sha256sum A very important…

passwords databases entropy sha256 postgresql

asked Jul 24 '22 at 04:47

ThisGuyCantEven

499
4
10

21

votes

1 answer

Is Postgres's uuid_generate_v4 securely random?

I'm using Postgres's uuid_generate_v4 in a uuid primary key column to generate secure one-time authentication tokens. Is this okay? Does Postgres use a secure random number source for generating these UUIDs or should I be generating them using a…

authentication appsec random postgresql

asked Jul 14 '15 at 14:01

glittershark

313
2
6

20

votes

4 answers

Do stored procedures prevent SQL Injection in PostgreSQL?

Is it true that stored procedures will prevent databases from being injected? I did a little research and I found out that SQL-Server, Oracle and MySQL are not safe against SQL injections if we only use stored procedures. However, this problem does…

appsec sql-injection databases postgresql

asked Nov 19 '10 at 22:44

Am1rr3zA

3,043
4
17
14

10

votes

1 answer

Permanently delete a record

Say there is a SQL database that stores certain records in encrypted. A person wants deletion of a record in a way that even hard drive recovery services cannot recover it without breaking the hard drive. Is it possible to delete records this way?

encryption postgresql

asked Feb 20 '21 at 09:23

savegoodlyfnotendorsinganswer

219
1
8

8

votes

2 answers

Postgres password security

How safe is a Postgres user's password? When a new db user is created, is the stored password hashed and salted?

hash salt postgresql

asked Mar 03 '17 at 20:06

LINUX G33NYUS

245
3
6

6

votes

2 answers

Postgres protection from SQL Injection

Postgres allows dynamic code execution, which might leave it vulnerable to SQL injection. What protective measures does it have against this?

sql-injection postgresql

asked Mar 06 '17 at 22:26

LINUX G33NYUS

245
3
6

5

votes

2 answers

If Postgres trusts localhost connections, is it dangerous to visit random websites?

If I have a locally running Postgres configured to trust all connections from localhost, does it mean any website I visit has the ability to make a localhost-to-localhost connection to Postgres with JavaScript running in my browser?

web-browser postgresql

asked Nov 18 '20 at 16:55

Atte Juvonen

440
1
4
10

5

votes

1 answer

Is it safe to set rejectUnauthorized to false when using Heroku's Postgres database?

I am trying to put some fields in a Postgres database hosted on a Heroku app and it keeps returning this error: Error: self signed certificate code: 'DEPTH_ZERO_SELF_SIGNED_CERT' I have tried adding a key, certificate, and CA bundle but to no…

tls http node.js postgresql

asked Apr 05 '20 at 14:46

Phyrik

53
1
4

4

votes

2 answers

Separate Auth DB for Increased Security

I'm a dev working on an app that has a monolith DB (PostgreSQL). We are using a third party provider for AUTH and MFA, but want to move MFA back into our control. The plan was to move the encrypted MFA secrets into our monolith DB, but there was…

authentication databases multi-factor postgresql

asked Jul 19 '19 at 04:16

seansean11

143
3

4

votes

1 answer

Thousands of 28000 "no pg_hba.conf entry for host" logs from Postgres - is this an attack?

Since yesterday afternoon my production Postgres database hosted on Amazon EC2 has been logging thousands of errors (averaging one or two per second) that all follow the format: sql_error_code = 28000 FATAL: no pg_hba.conf entry for host…

ddos postgresql

asked Mar 04 '19 at 17:28

Isaac Lyman

143
1
6

4

votes

1 answer

Restoring database from a hacked system

A linux VM with postgres 9.4 was hacked into. (Two processes taking 100% cpu, weird files in /tmp, did not reoccur after kill(s) and restart.) It was decided to install the system from scratch on a new machine (with postgres 9.6). The only data…

linux databases virtualization postgresql

asked Dec 01 '16 at 15:29

user1713059

145
3

3

votes

1 answer

Does "row-level security" actually serve a security purpose?

Row-level security is often an industry requirement in secure environments, such as those dealing with payment cards. It's supported by most major relational databases, including PostgreSQL, Microsoft SQL Server and Oracle. It works by introducing…

sql-injection databases pci-dss confidentiality postgresql

asked Feb 13 '22 at 00:13

loopbackbee

5,308
2
21
22

3

votes

3 answers

Is SQL injection still a bad thing if the user is restricted to non-harmful queries?

Suppose I have a very simple PHP application that acts as a front-end for an SQL database. The user enters their query into a box, and the app shows the query results in a table. To prevent a user from modifying the table, the SQL user only has…

php sql-injection postgresql

asked Apr 04 '20 at 19:38

ivorysoap

33
2

Questions tagged [postgresql]