Home > mailing lists

Re: Passing a table as parameter - Mailing list pgsql-general

From	Vibhor Kumar
Subject	Re: Passing a table as parameter
Date	March 21, 2011 20:24:39
Msg-id	D049A134-963B-4482-8DC8-3D366C319E1C@enterprisedb.com Whole thread Raw
In response to	Re: Passing a table as parameter (Pavel Stehule <pavel.stehule@gmail.com>)
Responses	Re: Passing a table as parameter
List	pgsql-general

Tree view

On Mar 22, 2011, at 1:32 AM, Pavel Stehule wrote:

> it can work too, but there is sql injection risk.
>
> Do newer 'SELECT ... FROM ' || tabname || ' ...
>
> Regards
>
> Pavel Stehule

Yes true. Same with the following too:
CREATE FUNCTION foo(tablename text)
RETURNS SETOF text AS $$
BEGIN
RETURN QUERY EXECUTE 'SELECT content FROM ' || quote_ident(tablename);
END;
$$ LANGUAGE plpgsql;

To prevent from sql injection user can try with SQL Protect:
http://www.enterprisedb.com/docs/en/9.0/sqlprotect/Table%20of%20Contents.htm

Thanks & Regards,
Vibhor Kumar
EnterpriseDB Corporation
The Enterprise PostgreSQL Company
vibhor.kumar@enterprisedb.com
Blog:http://vibhork.blogspot.com

pgsql-general by date:

From: Aljoša Mohorović
Date: 21 March 2011, 20:20:23
Subject: Re: postgres conferences missing videos?

From: Alex
Date: 21 March 2011, 20:27:39
Subject: postgresql install problem

Re: Passing a table as parameter - Mailing list pgsql-general

Previous

Next