Ruby on Rails Wednesday, July 12, 2017

This may be more of a Postgres question than a Rails or Ruby question but ... since I want to do this in a Rails environment ...

I store my Postgres password in an environment variable whose name is a long randomly generated string in the appropriate format for an Ubuntu environment variable name..

Is it possible to get a list of environment variables from a (SELECT?) statement when executing an arbitrary SQL statement such as the two immediately below.
# Get a connection to a user's database.
# Once my question is answered, I'll want to ask questions about how the statmeent immediately below interacts with Rails'
#   connection pool.
= PGconn.connect("localhost", 5432,"","","my_database_development","MyUserName","MyObviousPassword")

  client_ip inet,
  username text,
  ts timestamp,
  request text,
  status smallint,
  bytes int

# Is there some way to break my security model?
# Note, I'm picking up the text of exec_sql_stmt_BAD_BAD_BAD from a form.  Hence the use of single quotes to prevent interpolation.
Some statement that will break my security model by giving a list of environment variables;

# This will execute just fine
= conn.exec( exec_sql_OK )

# I hope there is no SQL statement that will fetch a list of environment variables if PL/R is not installed.
= conn.exec( exec_sql_stmt_ BAD_BAD_BAD )

It is important to note that I have NOT installed R or PL/R.

Note: If PL/R is installed one can use the plr_environ() function to get a list of environment variables

Does anyone know a good (best?) forum to ask questions?  I see Reddit link but if you know of a better place, I'm all ears.

You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To post to this group, send email to
To view this discussion on the web visit
For more options, visit

No comments:

Post a Comment