Home > mailing lists

PL/pgSQL EXECUTE quote_ident(), and SQL injection - Mailing list pgsql-general

From	Knut P. Lehre
Subject	PL/pgSQL EXECUTE quote_ident(), and SQL injection
Date	June 26, 2009 09:26:44
Msg-id	fb99a155433d4.4a44a260@broadpark.no Whole thread Raw
Responses	Re: PL/pgSQL EXECUTE quote_ident(), and SQL injection
List	pgsql-general

Tree view

Is there any known way to inject SQL into a function similar to this?

create function testinjection(text,integer)
returns void as
$BODY$
declare
begin
execute 'update '||quote_ident($1)||' set c=null where id='||$2;
return;
end;
$BODY$
language 'plpgsql' volatile security definer;
grant execute on function testinjection(text,integer) to public;

pgsql-general by date:

From: "Massa, Harald Armin"
Date: 26 June 2009, 09:14:39
Subject: Re: masking the code

From: Nishkarsh
Date: 26 June 2009, 11:36:48
Subject: Re: Trigger Function and backup

PL/pgSQL EXECUTE quote_ident(), and SQL injection - Mailing list pgsql-general

Previous

Next