On Tue, Sep 15, 2009 at 07:38:18AM +0200, Pavel Stehule wrote:
> it isn't fair :) why you use $$ without single quote? And still this
> case should be vulnerable on SQL injection. Maybe you or me knows,
> what SQL injection means, but beginners knows nothing and this people
> use following bad code:
>
> sql := $$SELECT * FROM '${table_name}'$$} and are happy. But this code
> is wrong!
I have an idea you will like less: have multiple interpolation codes that
automagically do the right quoting. Perhaps as extra printf like type codes.
The above then becomes:
sql := pgprintf($$SELECT * FROM %I;$$, table_name )
Where %I evaluates as if it were quote_ident(%s).
This would maybe even encourage users to do the quoting they should by
making it easy.
-dg
--
David Gould daveg@sonic.net 510 536 1443 510 282 0869
If simplicity worked, the world would be overrun with insects.