Home > mailing lists

BUG #16282: Avoid sql-injections at identifiers - Mailing list pgsql-bugs

From	PG Bug reporting form
Subject	BUG #16282: Avoid sql-injections at identifiers
Date	February 28, 2020 11:00:33
Msg-id	16282-e9df338a7c1fad9d@postgresql.org Whole thread Raw
List	pgsql-bugs

Tree view

The following bug has been logged on the website:

Bug reference:      16282
Logged by:          RekGRpth
Email address:      rekgrpth@gmail.com
PostgreSQL version: 12.2
Operating system:   Docker alpine edge
Description:

To avoid sql-injections at identifiers I suggest to create new IDOID type
for PQexecParams (and others libpq) and SPI_execute_with_args (and other
spi) that will bw worked as %I in format command.

Now I need use PQescapeIdentifier for libpq and quote_identifier for spi,
but with new IDOID type I can transfrer identifiers wia args with this type!

pgsql-bugs by date:

From: Dean Rasheed
Date: 28 February 2020, 10:18:55
Subject: Re: BUG #16281: LN() function inaccurate at 1000th fractional digit

From: "Serbin, Ilya"
Date: 28 February 2020, 12:25:22
Subject: Re: BUG #16280: dead tuples (probably) effect plan and query performance

BUG #16282: Avoid sql-injections at identifiers - Mailing list pgsql-bugs

Previous

Next