SQL Injection & Stored Procedures Info

Whilst MS-SQL has many built-in procedures e.g. xp_cmdshell, I am not aware
of any built-in stored procedures for Postgresql, and I believe that
procedural languages must be voluntarily installed in order to be active[1]http://www.ca.postgresql.org/users-lounge/docs/7.3/postgres/xplang-install.html.

If there really aren't any built-in procedures or even languages active by
default, PG stored procs would tend to be site specific, so unless you
exploit a general bug or weakness (e.g. if the interface/documentation (or
lack of) discourages safe usage - e.g. hard to escape stuff), attacks would
be site/application specific too.

Also, before 7.3 Postgresql functions/procs could not return multiple
values (or it was rather difficult). This probably limited their use and usage.

So it is likely in the future there would be greater usage of Postgresql
stored procs, and who knows, maybe future versions of Postgresql would
include various "activated by default" procedures and languages ripe for
exploitation ;). Doesn't look like it'll be soon given the current
Postgresql developer culture.

Hope that helps,
Link.

[1]: http://www.ca.postgresql.org/users-lounge/docs/7.3/postgres/xplang-install.html
http://www.ca.postgresql.org/users-lounge/docs/7.3/postgres/xplang-install.html

Usually hard to take advantage of something that isn't installed/present ;).

At 06:44 PM 12/23/02 +0200, =?iso-8859-9?B?x2Hw/Wwg3mVrZXI=?= wrote: