Rails, Postgres, environment variables, Ubuntu, no PL/R

rubyonrails-talk
1

This may be more of a Postgres question than a Rails or Ruby question but … since I want to do this in a Rails environment …

I store my Postgres password in an environment variable whose name is a long randomly generated string in the appropriate format for an Ubuntu environment variable name..

Is it possible to get a list of environment variables from a (SELECT?) statement when executing an arbitrary SQL statement such as the two immediately below.

Get a connection to a user’s database.

Once my question is answered, I’ll want to ask questions about how the statmeent immediately below interacts with Rails’

connection pool.

conn = PGconn.connect(“localhost”, 5432,“”,“”,“my_database_development”,“MyUserName”,“MyObviousPassword”)

exec_sql_stmt_OK = “DROP TABLE IF EXISTS logs; CREATE TABLE logs ( client_ip inet, username text, ts timestamp, request text, status smallint, bytes int );”

Is there some way to break my security model?

Note, I’m picking up the text of exec_sql_stmt_BAD_BAD_BAD from a form. Hence the use of single quotes to prevent interpolation.

exec_sql_stmt_BAD_BAD_BAD = ’ Some statement that will break my security model by giving a list of environment variables; ;’

This will execute just fine

ret_exec_sql = conn.exec( exec_sql_OK )

I hope there is no SQL statement that will fetch a list of environment variables if PL/R is not installed.

ret_exec_sql = conn.exec( exec_sql_stmt_ BAD_BAD_BAD )

``

It is important to note that I have NOT installed R or PL/R.

Note: If PL/R is installed one can use the plr_environ() function to get a list of environment variables

Does anyone know a good (best?) forum to ask questions? I see Reddit link but if you know of a better place, I’m all ears.