Quick Links

PL/pgSQL EXECUTE quote_ident(), and SQL injection

From:	"Knut P(dot) Lehre" <knutpl(at)broadpark(dot)no>
To:	pgsql-general(at)postgresql(dot)org
Subject:	PL/pgSQL EXECUTE quote_ident(), and SQL injection
Date:	2009-06-26 08:26:40
Message-ID:	fb99a155433d4.4a44a260@broadpark.no
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-general

Is there any known way to inject SQL into a function similar to this?

create function testinjection(text,integer)
returns void as
$BODY$
declare
begin
execute 'update '||quote_ident($1)||' set c=null where id='||$2;
return;
end;
$BODY$
language 'plpgsql' volatile security definer;
grant execute on function testinjection(text,integer) to public;

Responses

Re: PL/pgSQL EXECUTE quote_ident(), and SQL injection at 2009-06-26 10:39:24 from Knut P. Lehre

Browse pgsql-general by date

	From	Date	Subject
Next Message	Scott Bailey	2009-06-26 08:44:36	Re: Custom runtime variables
Previous Message	Sam Wun	2009-06-26 06:05:52	Re: Can't start postgresql 8.3.7