Home > mailing lists

Re: PG do not accept quoted names for tables/columns - Mailing list pgsql-bugs

From	Andrew McMillan
Subject	Re: PG do not accept quoted names for tables/columns
Date	February 6, 2003 17:42:53
Msg-id	1044560560.2939.23.camel@kant.mcmillan.net.nz Whole thread Raw
In response to	PG do not accept quoted names for tables/columns (Yaniv Hamo <hamo@cs.Technion.AC.IL>)
List	pgsql-bugs

Tree view

On Thu, 2003-02-06 at 22:26, Yaniv Hamo wrote:
>   Hi,
> I noticed that Postgres issues a fatal error when given a quoted name of
> table or column. This is a problem in secured cgi scripts, which quote
> everything they get from the user, to avoid malicious users from trying to
> execute SQL commands using some engineered input.

The SQL specification states that you should quote identifiers with
double quotes.  Single quotes are used for quoting values:

CREATE TABLE "testtable" ( "test" INT );

PostgreSQL is SQL compliant on this issue.

Regards,
                    Andrew.
--
---------------------------------------------------------------------
Andrew @ Catalyst .Net.NZ Ltd, PO Box 11-053, Manners St,  Wellington
WEB: http://catalyst.net.nz/         PHYS: Level 2, 150-154 Willis St
DDI: +64(4)916-7201     MOB: +64(21)635-694    OFFICE: +64(4)499-2267
           Survey for nothing with http://survey.net.nz/
---------------------------------------------------------------------

pgsql-bugs by date:

From: Stephan Szabo
Date: 06 February 2003, 17:36:14
Subject: Re: PG do not accept quoted names for tables/columns

From: Tom Lane
Date: 06 February 2003, 18:46:20
Subject: Re: PG do not accept quoted names for tables/columns

Re: PG do not accept quoted names for tables/columns - Mailing list pgsql-bugs

Previous

Next