| From: | Chris Travers <chris(dot)travers(at)gmail(dot)com> |
|---|---|
| To: | David Johnston <polobo(at)yahoo(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Merlin Moncure <mmoncure(at)gmail(dot)com>, Sim Zacks <sim(at)compulab(dot)co(dot)il>, PostgreSQL general <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: eval function |
| Date: | 2011-07-28 15:28:17 |
| Message-ID: | CAKt_ZfuZsy7gFmjnuGmmkFqayVA0ErLgRa2CwtxULXpSpWyTFw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Thu, Jul 28, 2011 at 8:08 AM, David Johnston <polobo(at)yahoo(dot)com> wrote:
> At best, based upon the example using "current_timestamp()", you could only
> mark it as being stable, right?
>
> Also not mentioned; what risk is there of this function being hacked? It
> places the supplied data within a "SELECT (....) AS column_alias" structure
> so it seems to be pretty safe but can you devise a string that would, say,
> delete data or something similar. I would expect the following: '1); DELETE
> FROM table; SELECT (2' to be dangerous. What functions would you use to
> make the input string safe? Does "quote_literal()" plug this hole?
I don't think the hole can be plugged. The point of the function is
to execute arbitrary sql code. That means doing SQL injection
purposely in the function. I don't think there is a way around it
because SQL injection is specifically what is desired,
Best Wishes,
Chris Travers
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Chris Travers | 2011-07-28 15:36:57 | Re: eval function |
| Previous Message | Merlin Moncure | 2011-07-28 15:23:55 | Re: eval function |