Questions tagged [postgresql]

PostgreSQL is an open-source RDBMS.

53 questions
70
votes
3 answers

Is this a SQL injection attack or is it some sort of bug?

I was looking through some data in our database when I came across a bunch of weird user_id entries: user_id -1080) ORDER BY 1# -1149 UNION ALL SELECT 79,79,79,79,79,79,79,79,79# -1359' UNION ALL SELECT 79,79,79,79,79,79,79,79,79,79-- JwSh -1409'…
turnip
  • 785
  • 1
  • 6
  • 9
25
votes
4 answers

Is Postgres password-based authentication secure?

According to Postgres's documentation, Postgres's password authentication method uses MD5 hashing to secure the password: The password-based authentication methods are md5 and password. These methods operate similarly except for the way that the…
Ajedi32
  • 4,637
  • 2
  • 26
  • 60
25
votes
6 answers

Is a sha256 hash of a unix timestamp a strong password

I am setting up a postgres db that will never be used by humans. In fact, I really don't need to know it myself ever. I assumed that just using a 256bit(64 alphanumeric chars) hash of a unix timestamp IE: date +%s%3N | sha256sum A very important…
ThisGuyCantEven
  • 499
  • 4
  • 10
21
votes
1 answer

Is Postgres's uuid_generate_v4 securely random?

I'm using Postgres's uuid_generate_v4 in a uuid primary key column to generate secure one-time authentication tokens. Is this okay? Does Postgres use a secure random number source for generating these UUIDs or should I be generating them using a…
glittershark
  • 313
  • 2
  • 6
20
votes
4 answers

Do stored procedures prevent SQL Injection in PostgreSQL?

Is it true that stored procedures will prevent databases from being injected? I did a little research and I found out that SQL-Server, Oracle and MySQL are not safe against SQL injections if we only use stored procedures. However, this problem does…
Am1rr3zA
  • 3,043
  • 4
  • 17
  • 14
10
votes
1 answer

Permanently delete a record

Say there is a SQL database that stores certain records in encrypted. A person wants deletion of a record in a way that even hard drive recovery services cannot recover it without breaking the hard drive. Is it possible to delete records this way?
8
votes
2 answers

Postgres password security

How safe is a Postgres user's password? When a new db user is created, is the stored password hashed and salted?
LINUX G33NYUS
  • 245
  • 3
  • 6
6
votes
2 answers

Postgres protection from SQL Injection

Postgres allows dynamic code execution, which might leave it vulnerable to SQL injection. What protective measures does it have against this?
LINUX G33NYUS
  • 245
  • 3
  • 6
5
votes
2 answers

If Postgres trusts localhost connections, is it dangerous to visit random websites?

If I have a locally running Postgres configured to trust all connections from localhost, does it mean any website I visit has the ability to make a localhost-to-localhost connection to Postgres with JavaScript running in my browser?
Atte Juvonen
  • 440
  • 1
  • 4
  • 10
5
votes
1 answer

Is it safe to set rejectUnauthorized to false when using Heroku's Postgres database?

I am trying to put some fields in a Postgres database hosted on a Heroku app and it keeps returning this error: Error: self signed certificate code: 'DEPTH_ZERO_SELF_SIGNED_CERT' I have tried adding a key, certificate, and CA bundle but to no…
Phyrik
  • 53
  • 1
  • 4
4
votes
2 answers

Separate Auth DB for Increased Security

I'm a dev working on an app that has a monolith DB (PostgreSQL). We are using a third party provider for AUTH and MFA, but want to move MFA back into our control. The plan was to move the encrypted MFA secrets into our monolith DB, but there was…
4
votes
1 answer

Thousands of 28000 "no pg_hba.conf entry for host" logs from Postgres - is this an attack?

Since yesterday afternoon my production Postgres database hosted on Amazon EC2 has been logging thousands of errors (averaging one or two per second) that all follow the format: sql_error_code = 28000 FATAL: no pg_hba.conf entry for host…
Isaac Lyman
  • 143
  • 1
  • 6
4
votes
1 answer

Restoring database from a hacked system

A linux VM with postgres 9.4 was hacked into. (Two processes taking 100% cpu, weird files in /tmp, did not reoccur after kill(s) and restart.) It was decided to install the system from scratch on a new machine (with postgres 9.6). The only data…
user1713059
  • 145
  • 3
3
votes
1 answer

Does "row-level security" actually serve a security purpose?

Row-level security is often an industry requirement in secure environments, such as those dealing with payment cards. It's supported by most major relational databases, including PostgreSQL, Microsoft SQL Server and Oracle. It works by introducing…
loopbackbee
  • 5,308
  • 2
  • 21
  • 22
3
votes
3 answers

Is SQL injection still a bad thing if the user is restricted to non-harmful queries?

Suppose I have a very simple PHP application that acts as a front-end for an SQL database. The user enters their query into a box, and the app shows the query results in a table. To prevent a user from modifying the table, the SQL user only has…
ivorysoap
  • 33
  • 2
1
2 3 4