Postgres Pro
Downloads
Home   >   mailing lists

Thread: Request for WikiEditing privilege

Request for WikiEditing privilege

From
Sadeq Dousti
Date:
Hi,

I would like editor access to the wiki, my username is msdousti and I would like to modify the Count Estimate page (https://wiki.postgresql.org/wiki/Count_estimate).
At the moment, it uses the string concatenation operator ||, which is susceptible to SQL injection.

I'd like to mention that, starting 9.1, the FORMAT function accepts %L, and add a query that uses %L to perform EXPLAIN (FORMAT JSON).

Best wishes,
Sadeq Dousti

Re: Request for WikiEditing privilege

From
Alvaro Herrera
Date:
Hello Sadeq,

On 2024-Nov-11, Sadeq Dousti wrote:

> I would like editor access to the wiki, my username is *msdousti* and I
> would like to modify the Count Estimate page (
> https://wiki.postgresql.org/wiki/Count_estimate).
> At the moment, it uses the string concatenation operator ||, which is
> susceptible to SQL injection.

Cool.  You're an editor now.

> I'd like to mention that, starting 9.1, the FORMAT function accepts %L, and
> add a query that uses %L to perform EXPLAIN (FORMAT JSON).

Sounds good.  If you can also modify the page to remove the <source> tag
and replace it with <syntaxhighlighting> while at it, it'd be great.
I'd even suggest to add a [[Category:Snippets]] line while at it, so
that this page shows up in the snippets index page.

-- 
Álvaro Herrera        Breisgau, Deutschland  —  https://www.EnterpriseDB.com/

Re: Request for WikiEditing privilege

From
Sadeq Dousti
Date:
Dear Álvaro,

Thanks a lot for giving me the edit permission. I applied all your suggestions.

I noted, however, that my initial suggestion of using FORMAT + %L does not work, as it quotes the query supplied to EXPLAIN. 
As such, I used FORMAT + %s, with a warning that the function is susceptible to SQLi.

Best wishes,
Sadeq

On Mon, Nov 11, 2024 at 11:00 AM Alvaro Herrera <alvherre@alvh.no-ip.org> wrote:
Hello Sadeq,

On 2024-Nov-11, Sadeq Dousti wrote:

> I would like editor access to the wiki, my username is *msdousti* and I
> would like to modify the Count Estimate page (
> https://wiki.postgresql.org/wiki/Count_estimate).
> At the moment, it uses the string concatenation operator ||, which is
> susceptible to SQL injection.

Cool.  You're an editor now.

> I'd like to mention that, starting 9.1, the FORMAT function accepts %L, and
> add a query that uses %L to perform EXPLAIN (FORMAT JSON).

Sounds good.  If you can also modify the page to remove the <source> tag
and replace it with <syntaxhighlighting> while at it, it'd be great.
I'd even suggest to add a [[Category:Snippets]] line while at it, so
that this page shows up in the snippets index page.

--
Álvaro Herrera        Breisgau, Deutschland  —  https://www.EnterpriseDB.com/