Home > mailing lists

Re: Passing a table as parameter - Mailing list pgsql-general

From	Vibhor Kumar
Subject	Re: Passing a table as parameter
Date	March 21, 2011 20:45:14
Msg-id	337C835F-A70D-4FE3-AFEC-41D31BE3DCA6@enterprisedb.com Whole thread Raw
In response to	Re: Passing a table as parameter (Pavel Stehule <pavel.stehule@gmail.com>)
Responses	Re: Passing a table as parameter (Pavel Stehule <pavel.stehule@gmail.com>)
List	pgsql-general

Tree view

On Mar 22, 2011, at 1:52 AM, Pavel Stehule wrote:

> simply thinks as using USAGE clause or functions quote_ident,
> quote_literal are faster and absolutly secure :). Software like SQL

I don't think usage of quote_ident in current requirement of user, would prevent sql injection.
Running sql multiple times, someone can guess the tabename which can give data:
ERROR:  relation "am" does not exist
LINE 1: SELECT content FROM am ^QUERY:  SELECT content FROM amCONTEXT:  PL/pgSQL function "foo" line 2 at RETURN QUERY

SQL Protect will make above message something like given below:
ERROR:  SQLPROTECT: Illegal Query: relations

Which stops user guessing relation.

Thanks & Regards,
Vibhor Kumar
EnterpriseDB Corporation
The Enterprise PostgreSQL Company
vibhor.kumar@enterprisedb.com
Blog:http://vibhork.blogspot.com

pgsql-general by date:

From: David Fetter
Date: 21 March 2011, 20:45:13
Subject: Re: postgres conferences missing videos?

From: Pavel Stehule
Date: 21 March 2011, 21:10:21
Subject: Re: Passing a table as parameter

Re: Passing a table as parameter - Mailing list pgsql-general

Previous

Next