From: | Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com> |
---|---|
To: | Ludovic Gasc <gmludo(at)gmail(dot)com> |
Cc: | Dorian Hoxha <dorian(dot)hoxha(at)gmail(dot)com>, psycopg(at)postgresql(dot)org |
Subject: | Re: Sanitize schema name |
Date: | 2015-05-07 22:12:04 |
Message-ID: | 554BE334.1030300@aklaver.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | psycopg |
On 05/07/2015 01:06 PM, Ludovic Gasc wrote:
> Thanks all for your answers, you understand well my need.
>
> About PQescapeIdentifier:
> 1. An idea of release date for the next version of psycopg2 ?
> 2. Are you sure it's enough to protect against SQL injections, because
> you can read in the documentation: *Tip:* As with string literals, to
> prevent SQL injection attacks, SQL identifiers must be escaped when they
> are received from an untrustworthy source.
>
> About format() it doesn't work for schema, example:
> SELECT format('SELECT * FROM %I WHERE id=1', 'lg.devices')
> => SELECT * FROM "lg.devices" WHERE id=1
> SELECT * FROM "lg.devices" WHERE id=1
> => ERROR: relation "lg.devices" does not exist
> LIGNE 1 : SELECT * FROM "lg.devices" WHERE id=1
> ^
>
> ********** Error **********
>
> ERROR: relation "lg.devices" does not exist
>
Try:
SELECT format('SELECT * FROM %I.%I WHERE id=1', 'lg', 'devices')
Still not sure why you cannot use search_path and avoid the schema
qualification altogether?
--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com
From | Date | Subject | |
---|---|---|---|
Next Message | Ludovic Gasc | 2015-05-09 20:03:20 | Re: Sanitize schema name |
Previous Message | Ludovic Gasc | 2015-05-07 20:06:52 | Re: Sanitize schema name |