Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Shodan knew at least 600,000 PostgreSQLs listening on the open internet when I last looked. Presumably quite a few are mistakes, of course. But people do it and the sky doesn't fall. Same for SSH or many other types of server. Of course the web ecosystem has 30 years of accumulated work so yes, you'd be missing stuff like Cloudflare, reCAPTCHA etc. Better for more controlled contexts than something like HN.

Latency is easy to screw up whether you do web apps or direct SQL connections. You have to be conscious of what a request costs, and you can easily batch SQL queries. Yes, you have to watch out for frameworks that spam the DB but those are bad news anyway, and of course there are lots of web frameworks that generate inefficient code. Not sure it's so different.

Your app will have to deal with DB versioning whether it's a web app or not. Tools like Flyway help a lot with linking your DB to version control and CI.

Nonetheless, I totally understand where you're coming from. Thanks for the thoughts.



>* Shodan knew at least 600,000 PostgreSQLs listening on the open internet when I last looked. Presumably quite a few are mistakes, of course.*

A few? I'd say most are accidental and the rest are just bad ideas...

>But people do it and the sky doesn't fall.

Well, the same is true for playing Russian roulette too. Most of the times you're winning!


We don't know either way, but a standard Postgres install doesn't let remote connections do much. You still have to authenticate before anything is allowed. It's not much different to sshd in this regard. A typical web server is far more promiscuous, with a massive surface area exposed to unauthenticated connections. There have been way more disasters from buggy web frameworks/apps that get systematically popped by crawlers, than from people running RDBMS.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: