Home > mailing lists

Re: Passing a table as parameter - Mailing list pgsql-general

From	Pavel Stehule
Subject	Re: Passing a table as parameter
Date	March 21, 2011 20:31:20
Msg-id	AANLkTimm=VuXU785MGnLO3p=Kv6-oOHhWqgynYmvjW0V@mail.gmail.com Whole thread Raw
In response to	Re: Passing a table as parameter (Vibhor Kumar <vibhor.kumar@enterprisedb.com>)
Responses	Re: Passing a table as parameter (Vibhor Kumar <vibhor.kumar@enterprisedb.com>)
List	pgsql-general

Tree view

2011/3/21 Vibhor Kumar <vibhor.kumar@enterprisedb.com>:
>
> On Mar 22, 2011, at 1:32 AM, Pavel Stehule wrote:
>
>> it can work too, but there is sql injection risk.
>>
>> Do newer 'SELECT ... FROM ' || tabname || ' ...
>>
>> Regards
>>
>> Pavel Stehule
>
> Yes true. Same with the following too:
> CREATE FUNCTION foo(tablename text)
> RETURNS SETOF text AS $$
> BEGIN
> RETURN QUERY EXECUTE 'SELECT content FROM ' || quote_ident(tablename);
> END;
> $$ LANGUAGE plpgsql;
>
> To prevent from sql injection user can try with SQL Protect:
> http://www.enterprisedb.com/docs/en/9.0/sqlprotect/Table%20of%20Contents.htm
>

simply thinks as using USAGE clause or functions quote_ident,
quote_literal are faster and absolutly secure :). Software like SQL
Protect is good for old unsecured applications but better do
development well.

Regards

Pavel Stehule

> Thanks & Regards,
> Vibhor Kumar
> EnterpriseDB Corporation
> The Enterprise PostgreSQL Company
> vibhor.kumar@enterprisedb.com
> Blog:http://vibhork.blogspot.com
>
>

pgsql-general by date:

From: "Davenport, Julie"
Date: 21 March 2011, 20:29:31
Subject: Re: query taking much longer since Postgres 8.4 upgrade

From: Scott Ribe
Date: 21 March 2011, 20:34:58
Subject: Re: query execution time

Re: Passing a table as parameter - Mailing list pgsql-general

Previous

Next