| From: | PG Bug reporting form <noreply(at)postgresql(dot)org> |
|---|---|
| To: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Cc: | rekgrpth(at)gmail(dot)com |
| Subject: | BUG #16282: Avoid sql-injections at identifiers |
| Date: | 2020-02-28 08:00:33 |
| Message-ID: | 16282-e9df338a7c1fad9d@postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
The following bug has been logged on the website:
Bug reference: 16282
Logged by: RekGRpth
Email address: rekgrpth(at)gmail(dot)com
PostgreSQL version: 12.2
Operating system: Docker alpine edge
Description:
To avoid sql-injections at identifiers I suggest to create new IDOID type
for PQexecParams (and others libpq) and SPI_execute_with_args (and other
spi) that will bw worked as %I in format command.
Now I need use PQescapeIdentifier for libpq and quote_identifier for spi,
but with new IDOID type I can transfrer identifiers wia args with this type!
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Juan José Santamaría Flecha | 2020-02-28 09:15:45 | Re: BUG #15858: could not stat file - over 4GB |
| Previous Message | Dean Rasheed | 2020-02-28 07:18:55 | Re: BUG #16281: LN() function inaccurate at 1000th fractional digit |