| From: | "David Johnston" <polobo(at)yahoo(dot)com> |
|---|---|
| To: | "'Tom Lane'" <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "'Merlin Moncure'" <mmoncure(at)gmail(dot)com> |
| Cc: | "'Sim Zacks'" <sim(at)compulab(dot)co(dot)il>, "'PostgreSQL general'" <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: eval function |
| Date: | 2011-07-28 15:08:32 |
| Message-ID: | 019401cc4d38$37d2a200$a777e600$@yahoo.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Merlin Moncure <mmoncure(at)gmail(dot)com> writes:
> Couple points:
> *) why a special case for boolean values?
That seemed weird to me too ...
> *) this should be immutable
What if the passed expression is volatile? Better to be safe.
---------------------------------
At best, based upon the example using "current_timestamp()", you could only
mark it as being stable, right?
Also not mentioned; what risk is there of this function being hacked? It
places the supplied data within a "SELECT (....) AS column_alias" structure
so it seems to be pretty safe but can you devise a string that would, say,
delete data or something similar. I would expect the following: '1); DELETE
FROM table; SELECT (2' to be dangerous. What functions would you use to
make the input string safe? Does "quote_literal()" plug this hole?
Thanks,
David J.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Merlin Moncure | 2011-07-28 15:23:55 | Re: eval function |
| Previous Message | Chris Travers | 2011-07-28 14:46:29 | Re: eval function |