On Mar 22, 2011, at 1:52 AM, Pavel Stehule wrote:
> simply thinks as using USAGE clause or functions quote_ident,
> quote_literal are faster and absolutly secure :). Software like SQL
I don't think usage of quote_ident in current requirement of user, would prevent sql injection.
Running sql multiple times, someone can guess the tabename which can give data:
ERROR: relation "am" does not exist
LINE 1: SELECT content FROM am ^QUERY: SELECT content FROM amCONTEXT: PL/pgSQL function "foo" line 2 at RETURN QUERY
SQL Protect will make above message something like given below:
ERROR: SQLPROTECT: Illegal Query: relations
Which stops user guessing relation.
Thanks & Regards,
Vibhor Kumar
EnterpriseDB Corporation
The Enterprise PostgreSQL Company
vibhor.kumar@enterprisedb.com
Blog:http://vibhork.blogspot.com