From: | Ludovic Gasc <gmludo(at)gmail(dot)com> |
---|---|
To: | Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com> |
Cc: | Dorian Hoxha <dorian(dot)hoxha(at)gmail(dot)com>, psycopg(at)postgresql(dot)org |
Subject: | Re: Sanitize schema name |
Date: | 2015-05-09 20:03:20 |
Message-ID: | CAON-fpGiXspT=vDhVsDZuaT0ean6iawjq_vYtQfTiTRgX6QFWw@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | psycopg |
2015-05-08 0:12 GMT+02:00 Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com>:
> On 05/07/2015 01:06 PM, Ludovic Gasc wrote:
>
>> Thanks all for your answers, you understand well my need.
>>
>> About PQescapeIdentifier:
>> 1. An idea of release date for the next version of psycopg2 ?
>> 2. Are you sure it's enough to protect against SQL injections, because
>> you can read in the documentation: *Tip:* As with string literals, to
>> prevent SQL injection attacks, SQL identifiers must be escaped when they
>> are received from an untrustworthy source.
>>
>> About format() it doesn't work for schema, example:
>> SELECT format('SELECT * FROM %I WHERE id=1', 'lg.devices')
>> => SELECT * FROM "lg.devices" WHERE id=1
>> SELECT * FROM "lg.devices" WHERE id=1
>> => ERROR: relation "lg.devices" does not exist
>> LIGNE 1 : SELECT * FROM "lg.devices" WHERE id=1
>> ^
>>
>> ********** Error **********
>>
>> ERROR: relation "lg.devices" does not exist
>>
>>
> Try:
>
> SELECT format('SELECT * FROM %I.%I WHERE id=1', 'lg', 'devices')
>
Ok, now, it works, but, I need to launch the query two times: First time
with SELECT format(, a second time with the result of the first query.
It should be possible to execute that only in one pass ?
>
> Still not sure why you cannot use search_path and avoid the schema
> qualification altogether?
Because I use a pool of pgsql sockets where no connexions are dedicated to
one particular client.
I could change that each time just before to execute each query, but it
shouldn't be very efficient.
>
>
> --
> Adrian Klaver
> adrian(dot)klaver(at)aklaver(dot)com
>
From | Date | Subject | |
---|---|---|---|
Next Message | Adrian Klaver | 2015-05-10 00:41:05 | Re: Sanitize schema name |
Previous Message | Adrian Klaver | 2015-05-07 22:12:04 | Re: Sanitize schema name |