| From: | Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> |
|---|---|
| To: | Merlin Moncure <mmoncure(at)gmail(dot)com> |
| Cc: | decibel <decibel(at)decibel(dot)org>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Robert Haas <robertmhaas(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Kevin Grittner <Kevin(dot)Grittner(at)wicourts(dot)gov>, Alvaro Herrera <alvherre(at)commandprompt(dot)com>, Peter Eisentraut <peter_e(at)gmx(dot)net>, "David E(dot) Wheeler" <david(at)kineticode(dot)com>, Pg Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: RfD: more powerful "any" types |
| Date: | 2009-09-14 18:02:23 |
| Message-ID: | 162867790909141102m5e93d1b7h50e03c41ac76fc28@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
2009/9/14 Merlin Moncure <mmoncure(at)gmail(dot)com>:
> On Mon, Sep 14, 2009 at 1:42 PM, Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> wrote:
>>> How is it any worse than what people can already do? Anyone who isn't aware
>>> of the dangers of SQL injection has already screwed themselves. You're
>>> basically arguing that they would put a variable inside of quotes, but they
>>> would never use ||.
>>
>> simply - people use functions quote_literal or quote_ident.
>
> you still have use of those functions:
> execute sprintf('select * from %s', quote_ident($1));
>
> sprintf is no more or less dangerous than || operator.
sure. I commented different feature
some := 'select * from $1'
regards
Pavel
p.s. In this case, I am not sure what is more readable:
execute 'select * from ' || quote_ident($1)
is readable well too.
>
> merlin
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Emmanuel Cecchet | 2009-09-14 18:07:29 | Re: Patch for automating partitions in PostgreSQL 8.4 Beta 2 |
| Previous Message | Heikki Linnakangas | 2009-09-14 17:54:49 | Re: Streaming Replication patch for CommitFest 2009-09 |