Home > mailing lists

Re: PG do not accept quoted names for tables/columns - Mailing list pgsql-bugs

From	Stephan Szabo
Subject	Re: PG do not accept quoted names for tables/columns
Date	February 6, 2003 17:36:14
Msg-id	20030206113424.S40575-100000@megazone23.bigpanda.com Whole thread Raw
In response to	PG do not accept quoted names for tables/columns (Yaniv Hamo <hamo@cs.Technion.AC.IL>)
List	pgsql-bugs

Tree view

On Thu, 6 Feb 2003, Yaniv Hamo wrote:

> I noticed that Postgres issues a fatal error when given a quoted name of
> table or column. This is a problem in secured cgi scripts, which quote
> everything they get from the user, to avoid malicious users from trying to
> execute SQL commands using some engineered input.
>
>
> shared# select version();
>                                version
> ---------------------------------------------------------------------
>  PostgreSQL 7.3.1 on i686-pc-linux-gnu, compiled by GCC egcs-2.91.66
>
>
> shared# CREATE TABLE 'testtable' ('test' INT);
> ERROR:  parser: parse error at or near "'testtable'" at character 14

I don't believe that's a valid query. For delimiting identifieres I think
you want double quotes not single quotes.

pgsql-bugs by date:

From: "Gershon Geva"
Date: 06 February 2003, 17:08:09
Subject: unsubscribe

From: Andrew McMillan
Date: 06 February 2003, 17:42:53
Subject: Re: PG do not accept quoted names for tables/columns

Re: PG do not accept quoted names for tables/columns - Mailing list pgsql-bugs

Previous

Next