| From: | Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> |
|---|---|
| To: | Vibhor Kumar <vibhor(dot)kumar(at)enterprisedb(dot)com> |
| Cc: | Jon Smark <jon(dot)smark(at)yahoo(dot)com>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Passing a table as parameter |
| Date: | 2011-03-21 20:22:28 |
| Message-ID: | AANLkTimm=VuXU785MGnLO3p=Kv6-oOHhWqgynYmvjW0V@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
2011/3/21 Vibhor Kumar <vibhor(dot)kumar(at)enterprisedb(dot)com>:
>
> On Mar 22, 2011, at 1:32 AM, Pavel Stehule wrote:
>
>> it can work too, but there is sql injection risk.
>>
>> Do newer 'SELECT ... FROM ' || tabname || ' ...
>>
>> Regards
>>
>> Pavel Stehule
>
> Yes true. Same with the following too:
> CREATE FUNCTION foo(tablename text)
> RETURNS SETOF text AS $$
> BEGIN
> RETURN QUERY EXECUTE 'SELECT content FROM ' || quote_ident(tablename);
> END;
> $$ LANGUAGE plpgsql;
>
> To prevent from sql injection user can try with SQL Protect:
> http://www.enterprisedb.com/docs/en/9.0/sqlprotect/Table%20of%20Contents.htm
>
simply thinks as using USAGE clause or functions quote_ident,
quote_literal are faster and absolutly secure :). Software like SQL
Protect is good for old unsecured applications but better do
development well.
Regards
Pavel Stehule
> Thanks & Regards,
> Vibhor Kumar
> EnterpriseDB Corporation
> The Enterprise PostgreSQL Company
> vibhor(dot)kumar(at)enterprisedb(dot)com
> Blog:http://vibhork.blogspot.com
>
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Scott Ribe | 2011-03-21 20:30:51 | Re: query execution time |
| Previous Message | Vibhor Kumar | 2011-03-21 20:18:55 | Re: Passing a table as parameter |