Re: Passing a table as parameter

2011/3/21 Vibhor Kumar <vibhor(dot)kumar(at)enterprisedb(dot)com>:
>
> On Mar 22, 2011, at 1:52 AM, Pavel Stehule wrote:
>
>> simply thinks as using USAGE clause or functions quote_ident,
>> quote_literal are faster and absolutly secure :). Software like SQL
>
> I don't think usage of quote_ident in current requirement of user, would prevent sql injection.
> Running sql multiple times, someone can guess the tabename which can give data:
> ERROR:  relation "am" does not exist
> LINE 1: SELECT content FROM am ^QUERY:  SELECT content FROM amCONTEXT:  PL/pgSQL function "foo" line 2 at RETURN QUERY
>
> SQL Protect will make above message something like given below:
> ERROR:  SQLPROTECT: Illegal Query: relations
>

it is different view on security. When you have not a security gap,
then is irelevant if somebody has unlimited number of trials. SQL
Protect is "security by obscurity" - a logout can be a good sign for
blind injection.

well usage of quote_ident and quote_literal is a perfect protection
against sql injection. Wrong query doesn't mean a problem. Problem is
when attacker can change a semantic of SQL query.

Pavel

> Which stops user guessing relation.
>
> Thanks & Regards,
> Vibhor Kumar
> EnterpriseDB Corporation
> The Enterprise PostgreSQL Company
> vibhor(dot)kumar(at)enterprisedb(dot)com
> Blog:http://vibhork.blogspot.com
>
>