| From: | Stephan Szabo <sszabo(at)megazone23(dot)bigpanda(dot)com> |
|---|---|
| To: | Yaniv Hamo <hamo(at)cs(dot)Technion(dot)AC(dot)IL> |
| Cc: | <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: PG do not accept quoted names for tables/columns |
| Date: | 2003-02-06 19:36:12 |
| Message-ID: | 20030206113424.S40575-100000@megazone23.bigpanda.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Thu, 6 Feb 2003, Yaniv Hamo wrote:
> I noticed that Postgres issues a fatal error when given a quoted name of
> table or column. This is a problem in secured cgi scripts, which quote
> everything they get from the user, to avoid malicious users from trying to
> execute SQL commands using some engineered input.
>
>
> shared# select version();
> version
> ---------------------------------------------------------------------
> PostgreSQL 7.3.1 on i686-pc-linux-gnu, compiled by GCC egcs-2.91.66
>
>
> shared# CREATE TABLE 'testtable' ('test' INT);
> ERROR: parser: parse error at or near "'testtable'" at character 14
I don't believe that's a valid query. For delimiting identifieres I think
you want double quotes not single quotes.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew McMillan | 2003-02-06 19:42:41 | Re: PG do not accept quoted names for tables/columns |
| Previous Message | Gershon Geva | 2003-02-06 19:08:01 | unsubscribe |