Ruby on Rails
Wednesday, July 12, 2017
This may be more of a Postgres question than a Rails or Ruby question but ... since I want to do this in a Rails environment ...
I store my Postgres password in an environment variable whose name is a long randomly generated string in the appropriate format for an Ubuntu environment variable name..
Is it possible to get a list of environment variables from a (SELECT?) statement when executing an arbitrary SQL statement such as the two immediately below.
It is important to note that I have NOT installed R or PL/R.
Note: If PL/R is installed one can use the plr_environ() function to get a list of environment variables
Does anyone know a good (best?) forum to ask questions? I see Reddit link but if you know of a better place, I'm all ears.
-- I store my Postgres password in an environment variable whose name is a long randomly generated string in the appropriate format for an Ubuntu environment variable name..
Is it possible to get a list of environment variables from a (SELECT?) statement when executing an arbitrary SQL statement such as the two immediately below.
# Get a connection to a user's database.
# Once my question is answered, I'll want to ask questions about how the statmeent immediately below interacts with Rails'
# connection pool.
conn = PGconn.connect("localhost", 5432,"","","my_database_development","MyUserName","MyObviousPassword")
exec_sql_stmt_OK =
"DROP TABLE IF EXISTS logs;
CREATE TABLE logs (
client_ip inet,
username text,
ts timestamp,
request text,
status smallint,
bytes int
);"
# Is there some way to break my security model?
# Note, I'm picking up the text of exec_sql_stmt_BAD_BAD_BAD
from a form. Hence the use of single quotes to prevent interpolation.
exec_sql_stmt_BAD_BAD_BAD =
'
Some statement that will break my security model by giving a list of environment variables;
;'
# This will execute just fine
ret_exec_sql = conn.exec( exec_sql_OK )
# I hope there is no SQL statement that will fetch a list of environment variables if PL/R is not installed.
ret_exec_sql = conn.exec( exec_sql_stmt_ BAD_BAD_BAD )
It is important to note that I have NOT installed R or PL/R.
Note: If PL/R is installed one can use the plr_environ() function to get a list of environment variables
Does anyone know a good (best?) forum to ask questions? I see Reddit link but if you know of a better place, I'm all ears.
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/2b0c7c93-cc9f-4601-aca2-cabd03b51318%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment