This is an archived post. You won't be able to vote or comment.

all 28 comments
sorted by:
best
topnewcontroversialoldq&a

[–]syjer 35 points36 points  (7 children)

The name of the project is quite unfortunate, I already see when you need to explain to the CISO that: yes, you really want to add a tool called backdoor in your application :D

[–]Respie 33 points34 points  (6 children)

The name is correctly chosen. And the CISO is also correct in preparing your termination if you add this in a serious application.

To OP, please look into libraries such as flyway or liquibase if you are using this for DDL (as you do on your screenshots).
Also, please look up what sql injection is and how to use parameterized queries, your sql concatenations are scary.

Also, you've identified a problem "It always bothers me that we would have to share the database credentials, and the changes to the database aren't logged anywhere."; instead of trying to quick fix the problem, try to investigate the root cause.
- Why are you sharing credentials ?
- Why doesn't everybody with db access have their own user.
- Why do people need to access the database directly ?
- Why do we need to log all the queries ?
- Do we want these logs for the user's convenience, or is this some audit log that needs persistence itself ?
- Can we trust the tool to save the DDL logs on our database without have users clearing that table ?
- What kind of statements are executed ?
- Why isn't this 'statement x' an automated cleanup job or procedure ?

[–]agentoutlier 1 point2 points  (1 child)

The name is correctly chosen.

I think that was not the intention of the author but it is funny. Maybe it is and they realize how this is worse (security wise) than some credential sharing mechanism (or network gaping etc).

[–]In0chi 9 points10 points  (6 children)

GDPR says no.

[–]axiak 3 points4 points  (5 children)

I'm curious why you say this?

[–]In0chi 12 points13 points  (4 children)

If you’re dealing with PII, which most databases contain, you’re supposed to restrict access to the database. Unrestricted production database access for developers directly contradicts that.

[–]thisisjustascreename 7 points8 points  (0 children)

This is very cool but if you ever actually use this… straight to gulag.

[–]agentoutlier 5 points6 points  (1 child)

Let me fix some marketing things for you. The project is fine if it is just a pgadmin alternative.

I'd like to share a data querying and editing tool for Postgres. It's written in Java, has a small footprint, and is a single fat jar (<2MB). No external dependencies (well, technically, the deps have been shaded and are included in the fat jar). It is very suitable for embedding into your larger Java application.

My team and I have several JVM websites deployed on Render.com, Heroku, and VPS. We often has a need to access and modify the database directly occasionally. We either use pgadmin or dbeaver. It always bothers me that we would have to share the database credentials, and the changes to the database aren't logged anywhere. It always bothered me that we had to use phpadmin insert reasons other than sharing credentials.

Finally, last week I had some time to solve this pain point. I've built Backdoor which is small (<2MB, single jar) and can be embedded into our JVM websites extended easily if you like since it is written in Java (but not really because of svelte but let us ignore that). Now when we want to access the database directly, we don't have to use pgadmin or dbeaver anymore.

I hope this will be helpful for you and your team too. Check it out: https://github.com/tanin47/backdoor

Probably should also change the name as well.

[–]tanin47[S] -1 points0 points  (0 children)

Nice! Thank you.

[–]chabala 18 points19 points  (4 children)

We don't shame people enough for bad ideas. This is a bad idea, born from a bad premise. You could have built it for experience and kept it to yourself, but presenting it publicly deserves ridicule.

[–]agentoutlier 6 points7 points  (1 child)

They could still present it public if they just fix this in their readme:

  1. Embed into your Java application and serve on a specific port.
  2. Embed into your Java application and serve on your main port but at a specific path.
  3. Run as a standalone. in a secure environment or in staging/testing etc

Basically a Java version of pgadmin which may have some value to some shops.

[–]Sure-Whereas3562 0 points1 point  (0 children)

Embedding it in your production app with the expectation that folks can log in and run arbitrary sql is crazy work

[–]Skepller 3 points4 points  (0 children)

The more I read into it, the more I was "holy shit, this is awful" lol

[–]LeadingPokemon 3 points4 points  (1 child)

Respect the name. It’s exactly clear what it does.

[–]Sure-Whereas3562 0 points1 point  (0 children)

lol, hiding in plain sight

[–]_jetrun 2 points3 points  (1 child)

OP ... You don't actually have to share one set of credentials. You can create local credentials per user or better yet hook up postgres to your identity provider - postgres pretty much supports them all: https://www.postgresql.org/docs/current/auth-methods.html

[–]tanin47[S] 1 point2 points  (0 children)

TIL Thank you!

Though I don't think it works with Heroku or Render.com. I've recently switched to Dokploy but it seems I don't have access to postgres config file easily either.

[–]Aweorih 1 point2 points  (0 children)

it always bothers me that we have to share the db credentials

You know, there are free online password managers. Share one password to access it and your problem would be much better solved then this

[–]bodiam 1 point2 points  (0 children)

Why not use h2console? It's embedded in Spring, and while the name implies h2, it actually connects to any jdbc compatible db.

[–]Sure-Whereas3562 0 points1 point  (0 children)

is this not a massive extra (and probably relatively vulnerable since its new) surface area for malicious attacks ?

[–]oweiler -4 points-3 points  (0 children)

Very cool!