| From: | Andrew McMillan <andrew(at)catalyst(dot)net(dot)nz> |
|---|---|
| To: | Yaniv Hamo <hamo(at)cs(dot)Technion(dot)AC(dot)IL> |
| Cc: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: PG do not accept quoted names for tables/columns |
| Date: | 2003-02-06 19:42:41 |
| Message-ID: | 1044560560.2939.23.camel@kant.mcmillan.net.nz |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Thu, 2003-02-06 at 22:26, Yaniv Hamo wrote:
> Hi,
> I noticed that Postgres issues a fatal error when given a quoted name of
> table or column. This is a problem in secured cgi scripts, which quote
> everything they get from the user, to avoid malicious users from trying to
> execute SQL commands using some engineered input.
The SQL specification states that you should quote identifiers with
double quotes. Single quotes are used for quoting values:
CREATE TABLE "testtable" ( "test" INT );
PostgreSQL is SQL compliant on this issue.
Regards,
Andrew.
--
---------------------------------------------------------------------
Andrew @ Catalyst .Net.NZ Ltd, PO Box 11-053, Manners St, Wellington
WEB: http://catalyst.net.nz/ PHYS: Level 2, 150-154 Willis St
DDI: +64(4)916-7201 MOB: +64(21)635-694 OFFICE: +64(4)499-2267
Survey for nothing with http://survey.net.nz/
---------------------------------------------------------------------
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2003-02-06 20:45:43 | Re: PG do not accept quoted names for tables/columns |
| Previous Message | Stephan Szabo | 2003-02-06 19:36:12 | Re: PG do not accept quoted names for tables/columns |