Re: [QUESTIONS] LArge object functions in the backend

On 6 Feb 1998, Fedor Bezrukov wrote:

Probably that's a silly question, but...

There are functions 'lo_export'/'lo_import' embedded in the backend.
They can be called from an SQL request like it is described in the
User Manual. But as they are executed from the server, not from the
client, I get the resulting file (from lo_export) owned by the
'postgres' user and located on the server machine! This is not at all
what you need, and more, it is a security hole, using which you can
peek at any data in the database and even destroy it. Probably this
is not the correct place for these functions (and it is even mentioned
in the source :) ). Probably these functions should be removed from
the backend or at least restricted to use by the 'postgres' user only?

You do have a point here.

I think these functions are obsolete. Do we still need them? We have
examples on how to implement these properly from the client to server in
the source.

What does everyone else think?

--
Peter T Mount petermount@earthling.net or pmount@maidast.demon.co.uk
Main Homepage: http://www.demon.co.uk/finder
Work Homepage: http://www.maidstone.gov.uk Work EMail: peter@maidstone.gov.uk