| From: | Merlin Moncure <mmoncure(at)gmail(dot)com> |
|---|---|
| To: | Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> |
| Cc: | decibel <decibel(at)decibel(dot)org>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Robert Haas <robertmhaas(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Kevin Grittner <Kevin(dot)Grittner(at)wicourts(dot)gov>, Alvaro Herrera <alvherre(at)commandprompt(dot)com>, Peter Eisentraut <peter_e(at)gmx(dot)net>, "David E(dot) Wheeler" <david(at)kineticode(dot)com>, Pg Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: RfD: more powerful "any" types |
| Date: | 2009-09-14 17:53:45 |
| Message-ID: | b42b73150909141053s261a087cuaabd8b281042f6bd@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, Sep 14, 2009 at 1:42 PM, Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> wrote:
>> How is it any worse than what people can already do? Anyone who isn't aware
>> of the dangers of SQL injection has already screwed themselves. You're
>> basically arguing that they would put a variable inside of quotes, but they
>> would never use ||.
>
> simply - people use functions quote_literal or quote_ident.
you still have use of those functions:
execute sprintf('select * from %s', quote_ident($1));
sprintf is no more or less dangerous than || operator.
merlin
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kevin Grittner | 2009-09-14 17:54:38 | Re: Streaming Replication patch for CommitFest 2009-09 |
| Previous Message | Pavel Stehule | 2009-09-14 17:42:42 | Re: RfD: more powerful "any" types |