Quick Links

PG do not accept quoted names for tables/columns

From:	Yaniv Hamo <hamo(at)cs(dot)Technion(dot)AC(dot)IL>
To:	<pgsql-bugs(at)postgresql(dot)org>
Subject:	PG do not accept quoted names for tables/columns
Date:	2003-02-06 09:26:44
Message-ID:	Pine.GSO.4.33_heb2.09.0302061122010.23338-100000@csd
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-bugs

Hi,
I noticed that Postgres issues a fatal error when given a quoted name of
table or column. This is a problem in secured cgi scripts, which quote
everything they get from the user, to avoid malicious users from trying to
execute SQL commands using some engineered input.

shared# select version();
version
---------------------------------------------------------------------
PostgreSQL 7.3.1 on i686-pc-linux-gnu, compiled by GCC egcs-2.91.66

shared# CREATE TABLE 'testtable' ('test' INT);
ERROR: parser: parse error at or near "'testtable'" at character 14

Thanks and have a nice day,
Yaniv

Responses

Re: PG do not accept quoted names for tables/columns at 2003-02-06 19:36:12 from Stephan Szabo
Re: PG do not accept quoted names for tables/columns at 2003-02-06 19:42:41 from Andrew McMillan
Re: PG do not accept quoted names for tables/columns at 2003-02-06 20:45:43 from Tom Lane

Browse pgsql-bugs by date

	From	Date	Subject
Next Message	Donald Fraser	2003-02-06 11:27:13	Trigger function not executing
Previous Message	pgsql-bugs	2003-02-05 16:29:08	Bug #893: Trigger causes database to crash