| From: | Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Bruce Momjian <bruce(at)momjian(dot)us>, PostgreSQL-patches <pgsql-patches(at)postgresql(dot)org> |
| Subject: | Re: [HACKERS] PQescapeIdentifier |
| Date: | 2006-06-27 02:43:24 |
| Message-ID: | 44A09B4C.3050605@familyhealth.com.au |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers pgsql-patches |
>> I thought of that but I assume we were not accepting user-supplied
>> identifiers for this --- that this was only for application use. Am I
>> wrong?
Well, yes the plan was to accept user-supplied identifiers...
> If you insist on a practical example, I can certainly imagine someone
> thinking it'd be cool to allow searches on a user-selected column, and
> implementing that by passing the user-given column name straight into
> the query with only PQescapeIdentifier for safety.
Yes, phpPgAdmin sure would. I imagine this would be a nightmare to
address properly, so perhaps we should remove the function :(
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2006-06-27 02:49:30 | Re: [HACKERS] PQescapeIdentifier |
| Previous Message | Christopher Kings-Lynne | 2006-06-27 02:42:00 | Re: [HACKERS] PQescapeIdentifier |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2006-06-27 02:49:30 | Re: [HACKERS] PQescapeIdentifier |
| Previous Message | Christopher Kings-Lynne | 2006-06-27 02:42:00 | Re: [HACKERS] PQescapeIdentifier |