Security Fix Leads To PostgreSQL Lock Down

← Back to Stories (view on slashdot.org)

Security Fix Leads To PostgreSQL Lock Down

Posted by samzenpus on Friday March 29, 2013 @03:49AM from the shut-it-down dept.

hypnosec writes "The developers of the PostgreSQL have announced that they are locking down access to the PostgreSQL repositories to only committers while a fix for a "sufficiently bad" security issue applied. The lock down is temporary and will be lifted once the next release is available. The core committee has announced that they 'apologize in advance for any disruption' adding that 'It seems necessary in this instance, however.'"

100 comments

Min score:

Reason:

Sort:

That's not a good approach by i+kan+reed · 2013-03-29 03:57 · Score: 1, Interesting

Make sure that users of your open source project are not even able to find out what attack vector exists on their systems. They should languish in the hopes that your team will fix it before malicious hackers figure out what it was. From the code they already checked out.
Obscurity will protect everyone.
1. Re:That's not a good approach by bluefoxlucid · 2013-03-29 04:04 · Score: 5, Insightful
  
  That's exactly the point. They've locked out and shrouded the changes that are being made as they're happening, because of wide-spread collaboration causing changes, tests, etc to occur. It's going to be a week before the fix is ready, but as soon as the first bits of test code go in you can quickly target that body of code and figure out the problem, then exploit it. As-is, you now have to rummage through the whole body of vulnerable code and try to guess what's actually broke.
  When the repos are opened back up, the fix will be ready. It might (probably) even be shared with the major distros, who will simultaneously have an updated package published. This greatly reduces the likelihood and window of a zero-day exploit with no fix.
  
  --
  Support my political activism on Patreon.
2. Re:That's not a good approach by Anonymous Coward · 2013-03-29 04:13 · Score: 1
  
  If you have a copy of the code before the changes and another copy from after, it takes literally 3 seconds to target exactly what was changed. Your explanation accounts for none of that.
3. Re:That's not a good approach by Anonymous Coward · 2013-03-29 04:14 · Score: 0
  
  Most users will not upgrade immediately and so at best this puts off the exploit making it 'into the wild' by a week. At worst, it draws widespread attention to the flaw (as in, /.) and will cause people to aggressively pursue using it to compromise systems once the fix is released.
4. Re:That's not a good approach by bluefoxlucid · 2013-03-29 04:16 · Score: 5, Insightful
  
  My explanation accounts exactly for that and that was the point. The changes between [VULNERABLE] and [FIXED] are not public yet because the [FIXED] state is not ready for production deployment (it may be wrong, and need more work). That means you can't pop open your source tree, do a `git diff`, and go, "oh, in this code path?" and 20 minutes later have your exploit.
  Now, a week from now, this stuff will all be public and fixes will be released. Then you can target exactly what's changed, while everyone else is running updates. This is different from targeting exactly what's changed and then running around buttfucking everyone while they have to wait a week to get production-ready code OR chance it with alpha-grade software in production.
  
  --
  Support my political activism on Patreon.
5. Re:That's not a good approach by bluefoxlucid · 2013-03-29 04:23 · Score: 2
  
  At least you have the option. And people who are exploiting shit are using Metasploit and playing around on Milw0rm anyway, seriously.
  
  --
  Support my political activism on Patreon.
6. Re:That's not a good approach by Anonymous Coward · 2013-03-29 04:32 · Score: 0
  
  The fixes will be released, but there are going to many broken instances in the wild, and all this hoohar will merely bring attention to the exploit. It's trivial to diff the code and see what's going on. This decision was wrong, they could have slipped in the fix as a regular commit and no one would really be any wise, but now, the whole tech world knows that any day now, an exploit is going to be trivial to find.
7. Re:That's not a good approach by Anonymous Coward · 2013-03-29 05:03 · Score: 0
  
  Well if you didn't want to be obscured I guess you should've contributed you leech.
  (I keed I keed)
8. Re:That's not a good approach by Firehed · 2013-03-29 05:04 · Score: 4, Insightful
  
  People looking to exploit vulnerabilities on widely-installed software (databases, programming languages, frameworks, etc.) keep an eye on commit logs to do precisely this. Those patches and commits call attention to themselves; postgres is right to ensure that a patch is available at the same time it indicates the attack vector. In fact, they'd probably be wise to make sure major binary repos have a patched copy even before making the changed source available so that sysadmins have a week to do an update from yum/apt-get/$pkgmgr
  The only difference between this and patch tuesday is that you know what goes into this fix after the fact. If you see 'critical security update' in your mailing lists, it becomes a race between you updating your system and attackers figuring out how to exploit the old version; them doing so is orders of magnitude more difficult if they don't actually know what's changed.
  Is it the FOSS way? No. But I'd happily take a project going closed-source for two weeks if it means my database doesn't get hacked (but then again, I'm dealing with PCI-DSS Level 1 so I kinda have to). Now hopefully people have their databases completely inside the firewall as to minimize the attack vector - assuming it has something to do with an authentication flaw, at least (and not, say, remote code execution due to a bug in parameterized queries). See - I don't know what they're changing, so I don't even know where to start probing.
  
  --
  How are sites slashdotted when nobody reads TFAs?
9. Re:That's not a good approach by Firehed · 2013-03-29 05:15 · Score: 4, Insightful
  
  Open-source doesn't magically decrease the severity or number of bugs, but it does allow more people to eventually discover them. There's an obvious trade-off here: non-malicious people can find and then report and/or fix the bugs, or malicious people can find and then exploit them. The hope is that there are more contributors than attackers finding bugs and that it ends up being a net positive for stability and security. Neither open nor closed source is the right model 100% of the time for 100% of projects.
  There's no hypocrisy here - the source of the patches will be released and all future commits will be made public again. This was a short-term decision weighing practicality and security against the "religion" of OSS. It's the difference between responsible disclosure and letting the software maintainers find out about the same exploit because you blogged about it, so attackers find out at the same time. They could have one or two people developing the patch in a local branch and simply not push anything upstream until it's done and tested and have the same effect, this is just an easier approach.
  
  --
  How are sites slashdotted when nobody reads TFAs?
10. Re:That's not a good approach by Forty+Two+Tenfold · 2013-03-29 05:19 · Score: 1
  
  it takes literally 3 seconds to target exactly what was changed
  No, it' figuratively. If the patch changes multiple files, reworking big fragments of business logic, then it's less trivial to figure out the exploit. The interested parties might just use this window to update. If everyone knows the exploit before the changes are applied and tested, it's a total SNAFU.
  
  --
  Upward mobility is a slippery slope - the higher you climb the more you show your ass.
11. Re:That's not a good approach by LordLimecat · 2013-03-29 06:00 · Score: 1
  
  Nonsense. I think that OSS enthusiasts grossly overstate the benefits of OSS sometimes, but the "many eyes" DID find the problem, and now they are working on a fix.
  Would you rather
  A) they tell everyone "hey, the problem is that you can easily exploit PostGreSQL by doing X, but we will have a fix in a week or two", or
  B) tell everyone "there is a security flaw, but we will not disclose details until the fix is out"
  Guess which one ALL major vendors do when they have a choice, btw? Google does this, MS does this, etc.
12. Re:That's not a good approach by Anonymous Coward · 2013-03-29 06:28 · Score: 0
  
  As a security researcher
  Proclaiming yourself as a security researcher doesn't really make you an actual security reseacher. Not knowing the difference between an OS kernel exploit and a database exploit makes you an incredibly poor one.
13. Re:That's not a good approach by Anonymous Coward · 2013-03-29 07:43 · Score: 0
  
  But, but... he dropped three F-bombs and called the guys who are actually doing something morons! Doesn't that prove he's an expert? 'Cause I've been reading Slashdot for quite a while now, and that seems to be how all the "experts" identify themselves.
14. Re:That's not a good approach by HiThere · 2013-03-29 08:13 · Score: 1
  
  You left out option C:
  C) Don't tell anyone there's a problem, and pretend that there isn't one until you have a new version to sell.
  MAYBE MS doesn't do that anymore. I stopped using their products, so I don't know. They certainly used to.
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
15. Re:That's not a good approach by BitZtream · 2013-03-29 08:20 · Score: 2
  
  So, go to http://git.postgresql.org/gitweb/?p=postgresql.git;a=summary and look at the source.
  What they've taken private is their patches for the problem until they can make it production ready.
  You are still fully able to access everything you've always had access to, they've just decided not to share their newest patches for a few days/weeks until people have at least a chance to protect their systems.
  Regression tests have to be run, repos need a chance to update their binary packages, all sorts of things can be done in private and made ready so that when the changes are made public ... and it becomes trivial to exploit the bug in unpatched versions since the changes show you the exploit ... users are already able to update to a fixed version.
  They just aren't telling the world where the bug is until the patch has been properly distributed. You can still go look for it yourself if you want, unless you want the bad guys to know where its at and you STILL won't have a patch available. Remember, these are the guys who are making the patch so you're waiting on them for the fix regardless.
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
16. Re:That's not a good approach by bill_mcgonigle · 2013-03-29 08:20 · Score: 1
  
  They could have one or two people developing the patch in a local branch and simply not push anything upstream until it's done and tested and have the same effect, this is just an easier approach.
  That's exactly it - the typical open source methodology and infrastructure isn't really what defines the product as open source or not. Many of the commercial dual-licensed vendors still just throw code over the wall every few months, and they're definitely still open source. All the PostgreSQL folks are doing is closing the infrastructure to non-core contributors for a week - the code is and will be open source.
  It would be neat if there was a redundant infrastructure for these sorts of needs, but I'm guessing they decided that spinning one up wasn't worth delaying the fix.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
17. Re:That's not a good approach by pallmall1 · 2013-03-29 10:28 · Score: 1
  
  But, but, but, I am a freetard...
  No, you are just stupid.
  
  --
  3 things about computers: they're alive, they're self-aware, and they hate your guts.
18. Re:That's not a good approach by Anonymous Coward · 2013-03-29 23:50 · Score: 0
  
  I thought that just made him Linus Torvalds...
19. Re:That's not a good approach by Anonymous Coward · 2013-03-30 01:21 · Score: 0
  
  It'll slow us down but it won't stop us.
  I don't know what makes you think that crackers are unskilled at examining binary diffs. Windows crackers don't have source and they get by just fine, what makes you think Linux is any different?
20. Re:That's not a good approach by peawormsworth · 2013-03-30 09:00 · Score: 1
  
  You left out option C: C) Don't tell anyone there's a problem, and pretend that there isn't one until you have a new version to sell.
  MAYBE MS doesn't do that anymore. I stopped using their products, so I don't know. They certainly used to.
  D) Everyone including MS knows there is a problem, but the fix doesnt come out in the next patch because it doesnt effect enough customers to be worth the effort involved in making the neccessary changes. Because MS is profit driven organization and has no incentive to assist a minority when there is no return on investment.
21. Re:That's not a good approach by HiThere · 2013-03-31 07:06 · Score: 1
  
  Sorry, but EVERYONE uses that option. Check out old bugs in some open source projects. So you can't reasonably single out MS for that one.
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
22. Re:That's not a good approach by greg1104 · 2013-03-31 11:55 · Score: 1
  
  When the repos are opened back up, the fix will be ready. It might (probably) even be shared with the major distros, who will simultaneously have an updated package published. This greatly reduces the likelihood and window of a zero-day exploit with no fix.
  That is what's happening, and it's the reason for the temporary lockdown. The core team member whose e-mail was linked to here is also one of RedHat's packagers for PostgreSQL as one example distribution. He's helping make sure that updated RHEL RPMs are published at the same time as the details of the vulnerability. Right now the only people who are believed to know about the problem are the project committers and a few equally trusted packagers.
23. Re:That's not a good approach by greg1104 · 2013-03-31 12:24 · Score: 1
  
  In fact, they'd probably be wise to make sure major binary repos have a patched copy even before making the changed source available so that sysadmins have a week to do an update from yum/apt-get/$pkgmgr
  That is impossible in the general case, and that fact is one reason the somewhat careful plan is executing. Some open source projects require releasing the source code along with the binaries. RedHat for example will always distribute source RPMs at the same time as the binary RPMs. The PostgreSQL license doesn't have such requirements, but the distribution's release policies can't necessarily change just because some packages have less requirements.
  Fundamentally, PostgreSQL can't make any downstream packaging demands; those are projects outside of its control. The best they can do is coordinate with as many known, trusted packagers as possible such that binary packages are available at exactly the same time as the source code that discloses the vulnerability. That is what's happening here. The PostgreSQL core team member whose e-mail was referenced is heavily involved in packaging of RedHat and other versions of Linux.
  Fundamentally, the whole idea of advance binary releases presumes that you cannot reverse engineer an exploit out of a changed binary, and that is just generally a broken model. If I had a source and binary for an existing PostgreSQL version on a platform, and you also gave me a binary for a modified one, I could reverse engineer what was changed without too much trouble. And that sort of thing is exactly what people developing exploits are usually good at. Your only hope for being safe is if you trust a binary provided by someone, and that sort of idea is exactly what open source distribution is supposed to avoid.
  Let's say PostgreSQL released binaries for RedHat RHEL for example a week early, but not associated source code, I'm running Slackware, and Slackware isn't one of the distributions that gets early access to the fix. As a Slackware user I'd be screwed. People who know how to build exploits would have everything they need to target an attack for a week, but I would have no way to defend myself. If source is released at the same time, people always have the option of rebuilding their own packages, even if their packager won't/didn't. A race between "fully informed user with source" and "exploit builder with source" can be won by the user. If you delay source to some time after the binary, it's far more likely the exploit will be built before people know enough to build a fixed package and protect themselves.
24. Re:That's not a good approach by fuzzytv · 2013-04-04 09:25 · Score: 1
  
  That really depends on what is your definition of open source. My favorite definition comes from OSI [http://opensource.org/about]: "Open source is a development method for software that harnesses the power of distributed peer review and transparency of process. The promise of open source is better quality, higher reliability, more flexibility, lower cost, and an end to predatory vendor lock-in."
  That clearly means companies throwing source code over the wall every few months does not make the product open source, as it's lacking the transparency and distributed peer review. But although OSI (or rather future founders of OSI) coined the term in 1998, it's true there are other definitions saying that publishing source code makes the product open source. The problem with that definition is that the "many eyeballs" theory requires a community, and you're not going to get that by mere publication of the code.
25. Re:That's not a good approach by fuzzytv · 2013-04-04 09:33 · Score: 1
  
  OSS is not a magical fairy dust. There are OSS projects that suck at fixing bugs and there are projects that are pretty good at this. PostgreSQL is one of the great ones, IMHO.
  What's great about OSS is that the bugs can be analyzed and fixed by anyone with sufficient knowledge, not just by a single company.
26. Re:That's not a good approach by bill_mcgonigle · 2013-04-04 13:44 · Score: 1
  
  I agree, that's much better. A good reason to fork a project too. It's too bad OpenJDK hasn't done that yet - they still suffer from the over-the-wall model.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Say what? Streisand effect on security perhaps? by brunes69 · 2013-03-29 03:57 · Score: 0

This seems like a really dumb move. What the team has done now is to raise the exposure level of this vulnerability by a HUGE margin. Now all any script kiddie needs to do is find a mirror of the code from 24 hours ago or any other recent period, which is likely quite trivial to do with an open source project as large as postgresql, and hunt for the vulnerability. They know it will be pretty bad since they did this action!
1. Re:Say what? Streisand effect on security perhaps? by Splab · 2013-03-29 04:03 · Score: 4, Insightful
  
  You are assuming it is a new problem, the approach they selected tells me they have found a *MAJOR* issue in several versions of PostgreSQL; that means it's old code.
  They even say, keep an eye on this next release, because you (users) need to apply it at once - this isn't something that only affect latest build.
2. Re:Say what? Streisand effect on security perhaps? by bluefoxlucid · 2013-03-29 04:06 · Score: 4, Insightful
  
  They'll have to hunt through all the code. Since a viable, production-ready fix won't be available for a week, but a new piece of code in the vulnerable body is available now, leaving the repo public would result in a week of free exploitation--they've gone and highlighted the exact bit of code the problem is in. The repos are closed, so only contributors and any downstream distribution providers that are working with them to build and test the fixed code are privy to this.
  This temporary closure greatly reduces the risk of an attacker tearing down the code and finding the precise vulnerability they're trying to mitigate.
  
  --
  Support my political activism on Patreon.
3. Re:Say what? Streisand effect on security perhaps? by Splab · 2013-03-29 04:11 · Score: 4, Informative
  
  And from Postgres we have:
  http://www.postgresql.org/about/news/1454/
  This is a major security issue and it affects *ALL* versions of postgres. Locking it down while updates are being created seems the right way to do it to me...
4. Re:Say what? Streisand effect on security perhaps? by Anonymous Coward · 2013-03-29 04:12 · Score: 0
  
  This seems like a really dumb move. What the team has done now is to raise the exposure level of this vulnerability by a HUGE margin. Now all any script kiddie needs to do is find a mirror of the code from 24 hours ago or any other recent period, which is likely quite trivial to do with an open source project as large as postgresql, and hunt for the vulnerability. They know it will be pretty bad since they did this action!
  You're no longer a script kiddie when you can find an undisclosed vulnerability in a source code base as large as PostgreSQL. You've graduated to cyber criminal.
5. Re:Say what? Streisand effect on security perhaps? by afgam28 · 2013-03-29 04:14 · Score: 4, Informative
  
  From the article:
  
  The reason for the lockdown is to ensure that malicious users don’t work out an exploit by monitoring the changes to the source code while it is being implemented to fix the flaw.
  So a mirror of the code from 24 hours ago wouldn't have any work-in-progress commits. These commits would give clues as to where the vulnerability is.
  It sounds like a really good use case for distributed version control. When this sort of thing happens, developers should be able to temporarily fork the repo and work on security issues in private, while everyone else is still able to access the main repo.
6. Re:Say what? Streisand effect on security perhaps? by Anonymous Coward · 2013-03-29 04:14 · Score: 0
  
  Luckily diff doesn't exist, and everyone updates their software immediately!
7. Re:Say what? Streisand effect on security perhaps? by Anonymous Coward · 2013-03-29 04:20 · Score: 1
  
  How is this worse than announcing the vulnerability publicly? If they had done that, no one would even need to hunt for the vulnerability. They would just have to read the announcement.
8. Re:Say what? Streisand effect on security perhaps? by bluefoxlucid · 2013-03-29 04:24 · Score: 1, Flamebait
  
  Risk of being exploited versus risk of updating your software. If you decide the risk of updating is lower than the risk of exploitation, you update. OH WAIT, THERE'S NO UPDATE READY UNTIL NEXT WEEK.
  
  --
  Support my political activism on Patreon.
9. Re:Say what? Streisand effect on security perhaps? by Anonymous Coward · 2013-03-29 04:25 · Score: 0
  
  That is not a problem they could have solved by announcing the vulnerability publicly. Even if they did classic "full disclosure", diff would still exist, and people would still delay updates.
  As it is, no one can find the vulnerability with diff because the repository is closed. Once the fix is published, then people will be able to find the vulnerability using diff, but at least the postgresql team have reduced the window of time in which diff is useful to the bad guys.
10. Re:Say what? Streisand effect on security perhaps? by Anonymous Coward · 2013-03-29 04:25 · Score: 0
  
  Since the fixes have not been committed, this will not avail you. The whole point of locking down the repo is precisely so that mirrors don't get the fixes until the new releases are made. Or maybe you think the Postgres developers are idiots.
11. Re:Say what? Streisand effect on security perhaps? by Anonymous Coward · 2013-03-29 04:36 · Score: 0
  
  It sounds like a really good use case for distributed version control. When this sort of thing happens, developers should be able to temporarily fork the repo and work on security issues in private, while everyone else is still able to access the main repo.
  I guess the reason they don't do that it because the build infrastructure works off the official repository. Nothing prevents other (non-committer) developers to use the distributed nature of git to continue developing stuff, of course.
  I also have the impression that many people read the topic as meaning "we are trying to hide our current source code because you might fix the bug in it", which is absolute bollocks of course (as the source code is mirrored everywhere, e.g., on github): They are just temporarily hiding the to-be-committed change that implements the fix, up to the point where fixed packages are ready.
  Anyway, whoever posted this article to /. should be shot for the obvious reasons.
12. Re:Say what? Streisand effect on security perhaps? by Anonymous Coward · 2013-03-29 04:39 · Score: 0
  
  "we are trying to hide our current source code because you might fix the bug in it"
  s/fix/find/
13. Re:Say what? Streisand effect on security perhaps? by Anonymous Coward · 2013-03-29 04:57 · Score: 0
  
  If they keep it open. Tomorrow when they are working on a fix, diff would show where the bug is. Then they have a week of free exploit before a fix is out.
  Closes it for now hides where the bug is till there is a fix.
  A week of butt fun before the smart users can fix it, vs. smart users update with no butt fun.
14. Re:Say what? Streisand effect on security perhaps? by Forty+Two+Tenfold · 2013-03-29 05:23 · Score: 1
  
  You're no longer a script kiddie when you can find an undisclosed vulnerability in a source code base as large as PostgreSQL. You've graduated to cyber criminal.
  No. You become a cyber criminal when you abuse the vulnerability. When you can find one, you're a successful security auditor.
  
  --
  Upward mobility is a slippery slope - the higher you climb the more you show your ass.
15. Re:Say what? Streisand effect on security perhaps? by Bostik · 2013-03-29 06:12 · Score: 4, Insightful
  
  Let me get this straight, so I know we're on the same page.
  There is a major vulnerability in basically ALL Postgres installations in the world. That means it has not been introduced by any recent commits. The patch(es) are not yet public, and the repositories have been made non-public while the fix is in the works.
  The fix is likely delayed somewhat by the occurrence of Easter holidays. Lots of people have taken extended weekends - probably a good number of Postgres devs included. There is probably no sane way to deploy the fixed versions until after the holidays. Not everyone can afford 24/7 admins.
  And you want to complain about the developers being irresponsible when dealing with this?
  (For the record: I'm pretty much a full-disclosure guy, but a slightly delayed disclosure with NO IN-THE-WILD EXPLOITS for a vulnerability that is discovered just ahead of a major holiday weekend... I can live with that.)
  
  --
  There is no such thing as good luck. There is only misfortune and its occasional absence.
16. Re:Say what? Streisand effect on security perhaps? by Rich0 · 2013-03-29 07:04 · Score: 1
  
  It sounds like a really good use case for distributed version control. When this sort of thing happens, developers should be able to temporarily fork the repo and work on security issues in private, while everyone else is still able to access the main repo.
  Sure, if you have infrastructure to run a hidden repo that only your devs can access. They likely don't have this, as is the case with most FOSS projects.
17. Re:Say what? Streisand effect on security perhaps? by BitZtream · 2013-03-29 07:54 · Score: 1
  
  Since they use git ... I would say that would be what happened.
  Linked from their downloads page is this:
  http://git.postgresql.org/gitweb/?p=postgresql.git;a=summary
  And its still fully accessible.
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
18. Re:Say what? Streisand effect on security perhaps? by HiThere · 2013-03-29 08:26 · Score: 1
  
  I don't think there's anything wrong with posting this to Slashdot. Everybody already knows that any complex software will have bugs in it. This doesn't gvie any clue as to what the bug is. And anybody serious about doing a malicious penetration will already have read the announcement.
  Further, this gives people warning to not start any new installs of PostGreSQL right now, because you'll just need to re-install it in a week or so.
  The "religious war" thing that's going on under this story is just loud-mouthed shallow thinkers, who aren't dangerous anyway. (Because they're shallow thinkers.)
  Now if the actual bug were highlighted, I'd agree with you, but I'd also blame the project for highlighting it. As it is, it looks to me as if they took a reasonable path. It's true an optimal path might have been to work off a fork of the code, and not let anyone know until the fix had been applied and tested, but there's also much to be said for warning people as soon as possible, so that they could avoid making databases currently private, accessible. Or so that they could close down access to anything really sensitive, and make sure they have good backups NOW.
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
19. Re:Say what? Streisand effect on security perhaps? by pallmall1 · 2013-03-29 10:41 · Score: 1
  
  Since they use git ... I would say that would be what happened.
  That's interesting, because the git.postgresql.org page you linked shows recent work desicribed as "Fix page title for JSON Functions and Operators." Couple that with the fact that the Slashdot summary has a link to a Parity News page that contains a link to the Postgresql announcement, and the Parity News link is loaded with javascript in the url.
  
  I wonder if Parity News is trying to demonstrate the Postgresql flaw?
  
  --
  3 things about computers: they're alive, they're self-aware, and they hate your guts.
20. Re:Say what? Streisand effect on security perhaps? by petsounds · 2013-03-29 16:52 · Score: 1
  
  The git source is still available (http://git.postgresql.org/gitweb/?p=postgresql.git;a=summary); it is only the patches for the bug-in-question that are closed off. This seems entirely reasonable given the severity of this vulnerability.
21. Re:Say what? Streisand effect on security perhaps? by Masterbrain · 2013-03-30 02:04 · Score: 1
  
  We certainly have that infrastructure(postgresql.org has around 50(!) servers for various purposes and a dedicated master repository is one of them), what are are doing here is simply delinking the "real" master repository from the anonymous repository and other downstream clones like github for a while. There is a pretty good post form magnus with actual fact available as well: http://blog.hagander.net/archives/212-About-security-updates-and-repository-lockdown.html in case you need more information.
22. Re:Say what? Streisand effect on security perhaps? by Rich0 · 2013-03-30 02:54 · Score: 1
  
  Seems like the best way to handle it. Fixing security flaws that touch a lot of code and doing all your development in the open aren't always compatible.
  Most linux distros secure security bugs for similar reasons. They don't usually have to block as much because they don't need extensive changes and integration work to deploy security patches. Well-contained software bugs also don't need as much of this since you don't need as much coordination.
  I've always admired Postgres. I just wish the SQL world wasn't so fragmented and that Linux had better DB abstraction so that I wouldn't be stuck with whatever DB created the client libs linked by the application...
23. Re:Say what? Streisand effect on security perhaps? by peawormsworth · 2013-03-30 09:10 · Score: 1
  
  This seems like a really dumb move. What the team has done now is to raise the exposure level of this vulnerability by a HUGE margin. Now all any script kiddie needs to do is find a mirror of the code from 24 hours ago or any other recent period, which is likely quite trivial to do with an open source project as large as postgresql, and hunt for the vulnerability. They know it will be pretty bad since they did this action!
  Raising exposure helps companies prepare for a database change. I know if we were using Postgres, we would be scheduling time for the upgrades an preparing for potential down time if needed. We would be going through all our database code to identify exactly what needs to be checked after the upgraded software and documenting as much as possible. Because if this is major, the changes could effect the way our code integrates with the database. For example, if its an authentication breach, then much of our own code would need to be changed to accomodate it.
  In any case, I dont think companies are concerned about what "script kiddies" are going to do about it, and instead are happy to be alerted to security fixes of an urgent nature.
Wrong move by Todd+Knarr · 2013-03-29 04:25 · Score: 1

My thought is that their reaction is exactly the wrong move. All it does is announce to the bad guys that there's a vulnerability they can exploit (which they probably know about already) and that none of their targets will know what it is or how to spot an attempt to exploit it, while at the same time insuring that the admins responsible for PgSQL servers can't find out what they need to protect against. If the vulnerability is that critical and severe that it can't be discussed, then as an admin it's critical and severe enough that I need to do something to mitigate it RIGHT FRAKKIN' NOW! I can't wait until Monday, I need to do something today to keep my PgSQL servers from being exploited. But as it stands the only thing I can do is shut them down completely and migrate fast to some other database. I can't wait, if I could the PgSQL team wouldn't be this panicked about the problem.
1. Re:Wrong move by h4rr4r · 2013-03-29 04:37 · Score: 5, Insightful
  
  They sent out a warning to everyone on the mailing list. I know, I got it.
  You should not have your PgSQL servers exposed to the world, no any db server. You should apply the fix when it comes out. The reality as an admin is that I know odds are damn near everything we use has as yet undiscovered vulnerabilities.
  Migrating anything major to another DB is pretty much a nonstarter. Nor will another DB give you even this much visibility. Oracle would never admit something like this with mysql.
2. Re:Wrong move by characterZer0 · 2013-03-29 04:37 · Score: 2
  
  Migrate to what? Postgres admitted that there is a problem. It is not known to be exploited in the wild. Do you really think Oracle, DB2, SQL Server, and MySQL have no critical security bugs in them? Or even bugs already known to the vendor in the case of the closed source ones?
  Your system is no worse today than it was yesterday. You know PostgreSQL has at least 1 bug. So unless you think another system has no bugs, do not switch.
  
  --
  Go green: turn off your refrigerator.
3. Re:Wrong move by WuphonsReach · 2013-03-29 04:46 · Score: 1
  
  As others have said, no database ports should ever be exposed to the world at large. You should have a firewall in place that only allows traffic to/from an extremely limited IP address range. Which mitigates a whole lot of issues, even if the database software is vulnerable.
  
  Sure, I'll need to update my pgsql instances, but because they're firewalled off from the outside world, I don't have to lose sleep over it until the fix comes out.
  
  --
  Wolde you bothe eate your cake, and have your cake?
4. Re:Wrong move by lgw · 2013-03-29 04:57 · Score: 1
  
  All it does is announce to the bad guys that there's a vulnerability they can exploit (which they probably know about already)
  
  You contradicted yourself in the same breath there. If the bad guys already knew about this, there would be no harm in announcing it. Announcing that there's some major vulnerability in the entire code base? That does no harm because there's some major vulnerability in the entire code base of every product out there. It's knowing where the flaw is that matters! And the team is taking the smart step to hide that for a week until the fix is ready.
  Once the fix is out, a diff will show everyone what the problem was, but at least the bad guys don't have a week's head start!
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
5. Re:Wrong move by Todd+Knarr · 2013-03-29 05:12 · Score: 2
  
  Are you positive that all the application servers you permit through the firewall are uncompromised? And that they'll remain uncompromised? Are there errors in the firewall that are allowing traffic through you don't expect? Are your servers in a data center where a mistake in the internal network could allow traffic to get to your machine from other (compromised) customers bypassing the firewall?
  And does this vulnerability even require direct access to the database server, or is it one that can be triggered by data? If so, what do I need to filter in my applications to remove the kinds of bad data that could trigger the vulnerability? If normal firewalls and SQL-injection filtering would blunt the attack, I'd expect the PgSQL team to be less worried about revealing the problem because it wouldn't be very exploitable. So given their panic I have to assume that a normal installation with access to the database strictly limited by firewalls is still highly vulnerable to attacks against this bug. I'm remembering exotic bugs like ones involving non-standard UTF-8 sequences that could completely bypass SQL-injection filtering or trigger bugs in low-level libraries via ordinary data, vulnerabilities that required no special access to exploit and would work straight through the tightest of firewalls, but could be stopped dead by appropriate filtering if you knew what the problem was that you had to check against (eg. UTF-8 sequences that weren't the shortest valid sequence for that character).
6. Re:Wrong move by bluefoxlucid · 2013-03-29 05:28 · Score: 0
  
  Jesus christ dude. Kepner-Tregoe Potential Problem Analysis. ORM charts. Decision Analysis (Pugh or Kepner-Tregoe; fuck Analytical Hierarchy, it sucks and requires tons of math for inaccurate results) followed with Adverse Consequence Analysis on ORM charts. Stop shitting yourself.
  
  --
  Support my political activism on Patreon.
7. Re:Wrong move by kestasjk · 2013-03-29 05:45 · Score: 1
  
  If they hadn't locked it out everyone would be complaining "Why is it taking so long to patch *it's being exploited in the wild*!"
  
  There is just no good way to deliver news of a security hole.
  
  --
  // MD_Update(&m,buf,j);
8. Re:Wrong move by CBravo · 2013-03-29 06:29 · Score: 1
  
  Maybe you get privileges with specific data.
  
  --
  nosig today
9. Re:Wrong move by Anonymous Coward · 2013-03-29 06:46 · Score: 0
  
  Yeah, I'm not sure what security bug in a database server would actually be a problem as database servers are usually firewalled and only fed sanitized inputs... then again, that's just best practices, and I know better to expect everyone to follow them. I guess an attack could still be used in a shared hosting situation (do those actually exist anymore? I feel like virtualization has pretty well replaced it.) or as a second level of an attack (i.e. exploit a web application such that the attacker can do anything with the rights of the web application which includes arbitrary communication with the db server which could then be compromised allowing for greater access to the db).
10. Re:Wrong move by muridae · 2013-03-29 07:29 · Score: 1
  
  A way to bypass santization, perhaps? Something that looks like a clean, sanitary input but infact does something malicious?
11. Re:Wrong move by alcourt · 2013-03-29 12:15 · Score: 1
  
  What a strange universe you live in. Sounds nice.
  Databases firewalled? No bad guys on your network? No direct DB connectivity?
  
  --
  "I may disagree with what you say, but I will defend unto the death your right to say it." -- Voltaire
12. Re:Wrong move by bill_mcgonigle · 2013-03-29 15:37 · Score: 1
  
  I think you might be right. There's not much that should rise to this level of alarm, but this would.
  I told a client earlier today, "let's assume it's a post-sanitation vulnerability and make a plan to handle that. We can scale back the plans if it turns out to be less severe."
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
13. Re:Wrong move by greg1104 · 2013-03-31 12:39 · Score: 1
  
  There is no evidence of an exploit being available in the wild for this issue. The PostgreSQL team has not paniced. This is a careful proactive security release for a bug that might be exploited once its source code is released. The bad guys have been given no more information than "there is an exploit possible in this code". If you believe that much information is enough for them to break into your server, and therefore you have to migrate to another system immediately, this is not a technical problem--you are having a panic attack. You can't wait until Monday, please seek medical assistance RIGHT FRAKKIN' NOW!
Re:Funny by fredrated · 2013-03-29 04:35 · Score: 1

The only train wreck is your mind.
How would an attack happen? by Geeky · 2013-03-29 04:44 · Score: 3, Informative

I see lots of comments about needing to know the vulnerability right now, and even panic about taking servers down until it's fixed. I can't help feeling that if that's your reaction you're doing it wrong.
In any internet facing production environment, the front end web servers will be the only place that can be attacked. They should be in a DMZ and only be accessing application servers via a firewall, which in turn access the database. Access to the database would only be allowed from the application servers, and the application servers shouldn't be able to run any random SQL. All inputs should be verified before passing to the database. It's kind of hard to see how, in a well designed system, the database is at risk. Nothing uncontrolled should be reaching it.
Of course it's important to have security at every layer, but if an attack can get as far as exploiting code vulnerability in the database I'd say there's a bigger problem somewhere further up the chain.
Internal attacks are another matter, but again, access controls should be ensuring that only those who really need access to the database have access to the database. Those people will be able to do enough damage without needing exploits, so again, code vulnerability at that level should be something of a non-issue.

--
Sigs are so 1990s. No way would I be seen dead with one.
1. Re:How would an attack happen? by Todd+Knarr · 2013-03-29 05:00 · Score: 1
  
  A lot of the time the web servers need access to the database because the code on the web server will be doing database access. If the web servers are compromised, the firewalls will permit attacks from them against the database servers. And the same chain applies when there's application servers in the way, it just takes one more step. With automated toolkits that one more step will be taken by automated exploit software, so the attackers probably won't even notice the delay. There also, as you noted, the problem of internal attacks from compromised desktops and other machines with access to the database servers.
  Security depends on securing all layers of the system, so that when (not if, when) any layer fails it doesn't compromise the entire system. If you design your security on the assumption that all other layers of security are intact and working, you just guarantee your security will fail.
  The sysadmin's motto: "It's not whether you're paranoid, it's whether you're paranoid enough.".
2. Re:How would an attack happen? by lgw · 2013-03-29 05:04 · Score: 2
  
  any internet facing production environment, the front end web servers will be the only place that can be attacked.
  
  Bobby Tables would disagree - SQL injection attacks are the biggest server-side security problem these days.
  One kind of major vulnerability in a DB would be some sort of buffer overflow in parsing the data stored, such that you can take over the DB server by storing carefully crafted data - the worst kind of SQL injection attack.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
3. Re:How would an attack happen? by Anonymous Coward · 2013-03-29 05:05 · Score: 0
  
  All inputs should be verified before passing to the database.
  This looks obvious but its easier said than done. Every flaw that can be and has ever been exploited resulting in compromise of a machine is a result if failing to properly sanitize input. Verifying input is a hard problem that is nearly if not outright impossible to get right. Even the most well designed systems fall victim because of some obscure corner case that was overlooked somewhere.
4. Re:How would an attack happen? by h4rr4r · 2013-03-29 05:12 · Score: 1
  
  You should of course assume there are more of these bugs in all software, all the time.
  This means web servers should not be able to submit arbitrary queries to the DB, if you can avoid it. Now getting developers to play along with this is like herding cats.
5. Re:How would an attack happen? by Geeky · 2013-03-29 05:13 · Score: 1
  
  I agree it needs fixing, and even said that it's important to have security at every layer, my point was really that a number of other security measures will already have failed before the database is vulnerable. And yes, in many cases the web server will be the application server, but I'd hope that's a design that's limited to less than critical systems...
  In a truly paranoid environment the only internal access to the database will be via bastion hosts, not direct from individual desktops...
  
  --
  Sigs are so 1990s. No way would I be seen dead with one.
6. Re:How would an attack happen? by Geeky · 2013-03-29 05:15 · Score: 1
  
  Probably true, but it's sad that in 2013 we're still talking about Bobby Tables! It's still an application code issue rather than strictly a database issue.
  
  --
  Sigs are so 1990s. No way would I be seen dead with one.
7. Re:How would an attack happen? by Geeky · 2013-03-29 05:24 · Score: 1
  
  I know it's not always easy, but most data input into web forms is quite straightforward. The application should not be checking whether the data is invalid - it should be checking that it's valid. That's a subtle distinction, and I'm probably going to fail to explain it! The critical thing is to allow only that data that is valid for the question being asked. Most of the time restricting the input to a certain length and only allowing specific characters should be enough, and wherever possible limit input to predefined selections (dropdowns, checkboxes). Apart from avoiding vulnerabilities, validation is critical to ensuring the data is useful and minimises the need for data cleansing later on.
  Where extended free format data is required, it should still be as simple as controlling the length of the data, the character set in use and making sure it's correctly quoted.
  
  --
  Sigs are so 1990s. No way would I be seen dead with one.
8. Re:How would an attack happen? by bluefoxlucid · 2013-03-29 05:32 · Score: 1
  
  I see lots of comments about needing to know the vulnerability right now, and even panic about taking servers down until it's fixed. I can't help feeling that if that's your reaction you're doing it wrong.
  That a reaction exists right now is wrong to begin with. They need a book and some training.
  
  --
  Support my political activism on Patreon.
9. Re:How would an attack happen? by lgw · 2013-03-29 06:13 · Score: 1
  
  But if the DB itself has a flaw related to the content of the stored data, then the prevalence of SQL injection means you should assume you're exposed.
  For the DBs I've worked with, using stored procedures basically eliminates the threat of SQL injection (the distinction between SQL code and payload is explicit that way) - I assume Postgres is the same way, and there's really no excuse for being vulnerable to that.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
10. Re:How would an attack happen? by Straker+Skunk · 2013-03-29 06:16 · Score: 2
  
  I know it's not always easy, but most data input into web forms is quite straightforward. The application should not be checking whether the data is invalid - it should be checking that it's valid. That's a subtle distinction, and I'm probably going to fail to explain it!
  You'd probably have an easier time explaining it as whitelisting versus blacklisting. A developer can't hope to ever enumerate all the bad things an app should reject, so s/he should instead enumerate the much smaller set of things it should accept. Same deal if you're using a regex or whatnot to sanitize input instead of matching against a list.
  
  --
  iSKUNK!
11. Re:How would an attack happen? by Geeky · 2013-03-29 06:39 · Score: 1
  
  Whitelisting - thank you, describes what I meant perfectly.
  
  --
  Sigs are so 1990s. No way would I be seen dead with one.
12. Re:How would an attack happen? by Shados · 2013-03-29 09:10 · Score: 1
  
  stored procedures are just a mean to an end. What solves the problem is avoiding mixing queries with their parameters. When code invokes stored procedure, they are forced into the parameterized query pipeline, and that solves that (unless of course, you concatenate within the SP :)
  There's a lot of ways to invoke the parameterized query pipeline... so even without stored procedures, you really shouldn't be doing that crap anymore. And yes, all relevent and even not so relevent RDBMs have client APIs that support this, and while it wasn't always the case, for the last 10+ years all mainstream languages do so too.
  It totally baffles me that we even talk about SQL injection anymore.
13. Re:How would an attack happen? by Anonymous Coward · 2013-03-29 11:02 · Score: 0
  
  s/he should instead enumerate the much smaller set of things it should accept.
  http://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/
  Good luck with your plan on whitelisting everything possible. I bet I can find the one about things you think wrong about dates & times, phone numbers, addresses, etc.
  The real answer is to accept everything and deal with it on the output side, if it even has to be dealt with at all.
14. Re:How would an attack happen? by russotto · 2013-03-29 12:45 · Score: 1
  
  This is all wrong. I mean, you might want to validate anyway. But the best way to prevent injection is to only supply user inputs to methods that won't execute code contained in them.
Re:Funny by Anonymous Coward · 2013-03-29 04:47 · Score: 0

Was this meant to be funny? Do yourself a favor and take a look in the historic of flaws in PostgreSQL.
Table-valued parameters by tepples · 2013-03-29 06:22 · Score: 1

For the DBs I've worked with, using stored procedures basically eliminates the threat of SQL injection
Do these databases allow passing a list of values to a parameterized statement or stored procedure? For example, some features in some of the web applications I've developed require defining a procedure that takes an array and passes it to something like SELECT last_login_time FROM users WHERE username IN ?. The trouble is that a lot of database interfaces don't allow table-valued parameters, and I can't guess how many question mark placeholders I'll need in advance, so I have to make one well-tested function that does the escaping and make sure to always use it.
1. Re:Table-valued parameters by rtaylor · 2013-03-30 00:16 · Score: 1
  
  Both Oracle and PostgreSQL will let you pass in an array as a function argument.
  Incidentally, PostgreSQL normally changes IN into =ANY(ARRAY[]) for performance, so you're not losing anything that way.
  
  --
  Rod Taylor
2. Re:Table-valued parameters by Anonymous Coward · 2013-03-31 03:54 · Score: 0
  
  The trouble is that a lot of database interfaces don't allow table-valued parameters, and I can't guess how many question mark placeholders I'll need in advance, so I have to make one well-tested function that does the escaping and make sure to always use it.
  No, you just dynamically build a statement that has the correct number of placeholders (using no user-supplied data except to determine that number, and none in the statement itself) and then execute it.
Re:I am being stalked and abused... apk by tarius8105 · 2013-03-29 06:23 · Score: 1

And someone forgot to take his meds today...Are you really that dense that you cant tell that the only reason the "impostor" exists because you have a hard time realizing that you are wrong and/or wont let it go. It would take a complete moron to not realize that the whole reason he continues to do it is because he knows he can get you to respond by simply posting. This isnt rocket science, this is internet 101...

Let me offer you some advice on how to get rid of this "impostor"...shutup.
Dear Oracle Propagandist by Anonymous Coward · 2013-03-29 07:42 · Score: 0

I am absolutely sure Oracle products including MySQL are much more insecure than almost anything else. There was a time you could crash Oracle 8 remotely without even bothering to write assembly language code, use a compiler or the like. telnet and some random typing was enough. MS had a similar shoddy state of database security on SQL server. Just recently a colleague of mine accidentally discovered a way of crashing the MySQL server by means of a range overflow when some sort of trigger was defined on that column.
But thanks for emitting your excrement - it just proves the nasty American tycoonism is alive and kicking.
1. Re:Dear Oracle Propagandist by HiThere · 2013-03-29 08:32 · Score: 1
  
  You are making a perhaps invalid presumption as to his reasoning. It could well be that he's just used to MySQL and doesn't want to think of changing. He could have a lot of code that's dependent on incompatible features, and doesn't want to believe that this was a bad choice. Money isn't the reason for everything.
  That said, I'm not really convinced that PostGreSQL is superior in all use cases to the MySQL family of databases. I do tend to think that it's generally superior, but I'm not expert in either.
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
NOT True by Anonymous Coward · 2013-03-29 08:09 · Score: 0

Imagine you can do an SQL injection attack and inside the injection you have a nasty piece of binary code, which will subvert the database server and give the attacker access to ANYTHING on that database server, including entirely different schemas which happen to be located on the same server by coincidence.
I bet 10 dollars and 10 D-marks (to hell with euro) it is an artifact of C or C++, as most security issues are.
Here's a fix: http://sourceforge.net/p/sappeurcompiler/code-0/2/tree/trunk/doc/SAPPEUR.pdf
Blog post from one of the core team members by adnonsense · 2013-03-29 18:32 · Score: 2
Do please check out this informative post from Magnus Hagander, one of the PostgreSQL core team members, which clarifies most of the points raised here:
About security updates and repository "lockdown"
I have received a lot of questions since the announcement that we are temporarily shutting down the anonymous git mirror and commit messages. And we're also seeing quite a lot of media coverage.
Let me start by clarifying exactly what we're doing:
- We are shutting down the mirror from our upstream git to our anonymous mirror
- This also, indirectly, shuts down the mirror to github
- We're temporarily placing a hold on all commit messages
There has been some speculation in that we are going to shut down all list traffic for a few days - that is completely wrong. All other channels in the project will operate just as usual. This of course also includes all developers working on separate git repositories (such as a personal fork on github).
We are also not shutting down the repositories themselves. They will remain open, with the same content as today (including patches applied between now and Monday), they will just be frozen in time for a few days.
...continues...
That's not I folks It's Jeremiah Cornelius... apk by Anonymous Coward · 2013-03-30 01:49 · Score: 0

THIS is why he's doing it & proof of it, here -> http://interviews.slashdot.org/comments.pl?sid=3585927&cid=43295193 when others pointed out Jeremiah Cornelius forgot to submit one of the "first post spams" masquerading as myself as AC, & mistakenly submitted one of the impersonations of myself as his registered 'luser' name here on /. forums.
Pretty pitiful actually, but like every up to no good idiot does? He screwed up & submitted it under his registered 'luser' name here.
* Jeremiah Cornelius: DO YOURSELF, and the rest of us, A GIANT FAVOR MAN: Seek professional psychiatric help!
(Since Jeremiah Cornelius obviously can't get over the fact he made a spelling error on what it is HE ALLEGEDLY DID FOR A LIVING? That's not MY fault... it's HIS!)
APK
P.S.=> I seriously must have dusted JC (in his mind @ least) for his BAD spelling error & it "got his goat"...
I.E.-> Catching what he claimed to do as a job, for YEARS he left "PENETRATION" (correct) spelled as "PENTRATION" (incorrect) on his resume on LinkedIn & I pointed it out as he & his friends trolled me as usual (webmistressrachel, gmhowell, & crew (probably ALL JC no doubt using alterate emails or TOR to do it as a possible - I've caught "them & theirs" doing it before, ala Barbara, not Barbie = TomHudson (same person))).
So THAT is what has gotten his goat in a technical debate & his "geek angst" could only come up with *trying* to "impersonate me" in every news thread on /. for the month of March 2013 so far!
(Just to attempt to 'discredit me' as a spammer here obviously)
Doing so, by posting that "$10,000 challenge" &/or reposts of my old posts on hosts file value to end users into EVERY SINGLE NEWS ARTICLE POSTED on /. ...
It's all I can think of that *might* cause such a mentally troubled 'reaction' like the Jeremiah Cornelius is doing & there's NO QUESTION he's the one doing this spamming of nearly every posted article masquerading as myself...!
... apk
Variable number of placeholders by tepples · 2013-03-31 05:06 · Score: 1

No, you just dynamically build a statement that has the correct number of placeholders (using no user-supplied data except to determine that number, and none in the statement itself) and then execute it.
Making sure that the placeholders remain in the same order as the values that will be substituted into the placeholders is almost as troublesome as substituting literal values. For example, a statement involving WHERE foo = ? AND bar IN ? will misbehave, possibly almost as catastrophically as in an injection, if another part of the code is modified to add the value for foo to the list after the values for bar have been added and the part that creates the query containing placeholders is not updated in perfect sync. And is it really substantially easier to make a function that produces a variable list of placeholders than it is to make a function that produces a variable list of correctly escaped values?
Furthermore, some database access layers make it difficult to pass a variable number of arguments to a query. One of these is MySQLi for PHP, which requires obscure gyrations involving call_user_func_array and references, whose exact details have been seen to change from PHP version to PHP version even within the PHP 5.x series. If your answer for this is "then ditch MySQLi", watch the number of concurrent connections between the application layer and database layer per concurrent user double as the application layer has to keep two connections open: one for those queries that have been ported from MySQLi to something else and one for those that have not. Doubling the connections per user halves the number of concurrent users needed to trigger "Failed to open a database connection: too many connections" errors.
1. Re:Variable number of placeholders by Anonymous Coward · 2013-03-31 07:59 · Score: 0
  
  Making sure that the placeholders remain in the same order as the values that will be substituted into the placeholders is almost as troublesome as substituting literal values.
  It really isn't.
2. Re:Variable number of placeholders by tepples · 2013-03-31 08:35 · Score: 1
  
  It really isn't.
  Disagreeing without telling me why you disagree tells me nothing. Please elaborate.
  If WHERE foo = ? AND bar IN (?,?,?,?,?,?,?,?,?,?) ends up changed to WHERE bar IN (?,?,?,?,?,?,?,?,?,?) AND foo = ?, how do I prevent this change from causing disastrous results if the order in which the placeholders appear in the statement does not match the order in which values are added to the array, if one of the valid values for column foo is also a valid value for column bar? In the case of a single well-tested function that correctly escapes lists, it would be easy: WHERE foo = ? AND bar IN $properly_escaped_list becomes WHERE bar IN $properly_escaped_list AND foo = ?. And where may I find an example of correct use of call_user_func_array() with the bind_param() method of MySQLi prepared statements?
  Besides, the output of the function that generates the list of placeholders produces "Filter error: Please use fewer 'junk' characters." when pasted into Slashdot. I had to preview several times to get that filter error to go away, and I ended up having to severely cut down the number of placeholders in the example.