PG do not accept quoted names for tables/columns

From: Yaniv Hamo <hamo(at)cs(dot)Technion(dot)AC(dot)IL>
To: <pgsql-bugs(at)postgresql(dot)org>
Subject: PG do not accept quoted names for tables/columns
Date: 2003-02-06 09:26:44
Message-ID: Pine.GSO.4.33_heb2.09.0302061122010.23338-100000@csd
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs


Hi,
I noticed that Postgres issues a fatal error when given a quoted name of
table or column. This is a problem in secured cgi scripts, which quote
everything they get from the user, to avoid malicious users from trying to
execute SQL commands using some engineered input.

shared# select version();
version
---------------------------------------------------------------------
PostgreSQL 7.3.1 on i686-pc-linux-gnu, compiled by GCC egcs-2.91.66

shared# CREATE TABLE 'testtable' ('test' INT);
ERROR: parser: parse error at or near "'testtable'" at character 14

Thanks and have a nice day,
Yaniv

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message Donald Fraser 2003-02-06 11:27:13 Trigger function not executing
Previous Message pgsql-bugs 2003-02-05 16:29:08 Bug #893: Trigger causes database to crash