From: | Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> |
---|---|
To: | decibel <decibel(at)decibel(dot)org> |
Cc: | Andrew Dunstan <andrew(at)dunslane(dot)net>, Robert Haas <robertmhaas(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Kevin Grittner <Kevin(dot)Grittner(at)wicourts(dot)gov>, Alvaro Herrera <alvherre(at)commandprompt(dot)com>, Peter Eisentraut <peter_e(at)gmx(dot)net>, "David E(dot) Wheeler" <david(at)kineticode(dot)com>, Pg Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: RfD: more powerful "any" types |
Date: | 2009-09-14 17:42:42 |
Message-ID: | 162867790909141042k461b5be1rd7f729d9931db67d@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
2009/9/14 decibel <decibel(at)decibel(dot)org>:
> On Sep 14, 2009, at 12:13 AM, Pavel Stehule wrote:
>>
>> 2009/9/13 decibel <decibel(at)decibel(dot)org>:
>>>
>>> On Sep 12, 2009, at 5:54 PM, Andrew Dunstan wrote:
>>>>
>>>> decibel wrote:
>>>>>
>>>>> Speaking of concatenation...
>>>>>
>>>>> Something I find sorely missing in plpgsql is the ability to put
>>>>> variables inside of a string, ie:
>>>>>
>>>>> DECLARE
>>>>> v_table text := ...
>>>>> v_sql text;
>>>>> BEGIN
>>>>> v_sql := "SELECT * FROM $v_table";
>>>>>
>>>>> Of course, I'm assuming that if it was easy to do that it would be done
>>>>> already... but I thought I'd just throw it out there.
>>>>>
>>>>
>>>> Then use a language that supports variable interpolation in strings,
>>>> like
>>>> plperl, plpythonu, plruby .... instead of plpgsql.
>>>
>>>
>>> Which makes executing SQL much, much harder.
>>>
>>> At least if we get sprintf dealing with strings might become a bit
>>> easier...
>>
>> This feature is nice - but very dangerous - it the most easy way how
>> do vulnerable (on SQL injection) application!
>
>
> How is it any worse than what people can already do? Anyone who isn't aware
> of the dangers of SQL injection has already screwed themselves. You're
> basically arguing that they would put a variable inside of quotes, but they
> would never use ||.
simply - people use functions quote_literal or quote_ident.
regards
Pavel Stehule
> --
> Decibel!, aka Jim C. Nasby, Database Architect decibel(at)decibel(dot)org
> Give your computer some brain candy! www.distributed.net Team #1828
>
>
>
From | Date | Subject | |
---|---|---|---|
Next Message | Merlin Moncure | 2009-09-14 17:53:45 | Re: RfD: more powerful "any" types |
Previous Message | decibel | 2009-09-14 17:42:31 | Re: Elementary dependency look-up |