Re: Dynamically filtering a CTE?

From: "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com>
To: "W(dot) Trevor King" <wking(at)tremily(dot)us>
Cc: pgsql-general <pgsql-general(at)postgresql(dot)org>
Subject: Re: Dynamically filtering a CTE?
Date: 2018-04-20 16:33:22
Message-ID: CAKFQuwaOQr9Hm3msA2X+tmh2AhoyN1m+fKyRarAr3EmL20OaXg@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Fri, Apr 20, 2018 at 9:22 AM, W. Trevor King <wking(at)tremily(dot)us> wrote:

> format('
> WITH RECURSIVE _ancestors(id, ancestors) AS (
> SELECT
> item.id AS id,
> ARRAY[item.ancestor_id] AS ancestors
> FROM items AS item
> %s
> ​[...]​
>
> ', condition);
>
> SELECT * FROM ancestors('WHERE item.id = 62324721');
>

​Just keep in mind that this opens up a huge SQL-injection hole in your
database. Depending on how its called you might want to validation the
input text for both whitelist and blacklist items before executing it.

David J.

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message James Keener 2018-04-20 16:45:00 Re: Postgresql database encryption
Previous Message W. Trevor King 2018-04-20 16:22:32 Re: Dynamically filtering a CTE?