

Total security in a PostgreSQL database - thejo
http://www.ibm.com/developerworks/opensource/library/os-postgresecurity/index.html?ca=drs-

======
tptacek
I've only skimmed this, but it looks like a great post, covering an area of
database security almost everyone overlooks. There is no reason your app needs
to run with carte blanche access to every table in the database, especially
when your app is primarily driven by reads.

I've been on pentest engagements where clients have survived rather horrible
SQL injection vulnerabilities because the database handle the injection
happened on had no meaningful privileges.

~~~
marcinw
Also why stored procedures are often recommended since you can apply access
controls around them.

------
mark_l_watson
A great article! It made me realize that I need to be much more careful in
setting up restrictions for PostgreSQL users (i.e., client applications).

