| From: | Vibhor Kumar <vibhor(dot)kumar(at)enterprisedb(dot)com> |
|---|---|
| To: | Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> |
| Cc: | Jon Smark <jon(dot)smark(at)yahoo(dot)com>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Passing a table as parameter |
| Date: | 2011-03-21 20:47:26 |
| Message-ID: | 337C835F-A70D-4FE3-AFEC-41D31BE3DCA6@enterprisedb.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Mar 22, 2011, at 1:52 AM, Pavel Stehule wrote:
> simply thinks as using USAGE clause or functions quote_ident,
> quote_literal are faster and absolutly secure :). Software like SQL
I don't think usage of quote_ident in current requirement of user, would prevent sql injection.
Running sql multiple times, someone can guess the tabename which can give data:
ERROR: relation "am" does not exist
LINE 1: SELECT content FROM am ^QUERY: SELECT content FROM amCONTEXT: PL/pgSQL function "foo" line 2 at RETURN QUERY
SQL Protect will make above message something like given below:
ERROR: SQLPROTECT: Illegal Query: relations
Which stops user guessing relation.
Thanks & Regards,
Vibhor Kumar
EnterpriseDB Corporation
The Enterprise PostgreSQL Company
vibhor(dot)kumar(at)enterprisedb(dot)com
Blog:http://vibhork.blogspot.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Pavel Stehule | 2011-03-21 21:09:33 | Re: Passing a table as parameter |
| Previous Message | David Fetter | 2011-03-21 20:45:04 | Re: postgres conferences missing videos? |