If you use Postgresql, you probably noticed that the command line tools who come with it don't accept passwords on the command line.
That's a good thing, as it prevents other users of the system from spying your command line via ps and see your password.
Ok, but what if you want to run let's say pg_dump from your script? Easy, just export an environment variable PGPASSFILE that points to a file that contains your credentials. Note that this file MUST be in mode 0600, to prevent other users to look into it.
If you use Perl, and File::Temp, that's exactly what it does, so here's a Perl snippet that uses pg_dump:
my ( $cf, $cf_name ) = File::Temp::tempfile();
print $cf '*:*:*:*:'.$password."\n";
close($cf);
system('export PGPASSFILE='.$cf_name.'; pg_dump etc...');
## Don't forget to unlink cf_name to avoid disk pollution.
unlink $cf_name;
Also, don't forget to run in taint mode and sanitise everything you use to build your command. Managing correctly the returned value of the system call is left as an exercise to the reader :)
Happy coding!
J.
That's a good thing, as it prevents other users of the system from spying your command line via ps and see your password.
Ok, but what if you want to run let's say pg_dump from your script? Easy, just export an environment variable PGPASSFILE that points to a file that contains your credentials. Note that this file MUST be in mode 0600, to prevent other users to look into it.
If you use Perl, and File::Temp, that's exactly what it does, so here's a Perl snippet that uses pg_dump:
my ( $cf, $cf_name ) = File::Temp::tempfile();
print $cf '*:*:*:*:'.$password."\n";
close($cf);
system('export PGPASSFILE='.$cf_name.'; pg_dump etc...');
## Don't forget to unlink cf_name to avoid disk pollution.
unlink $cf_name;
Also, don't forget to run in taint mode and sanitise everything you use to build your command. Managing correctly the returned value of the system call is left as an exercise to the reader :)
Happy coding!
J.
No comments:
Post a Comment