| From: | Vibhor Kumar <vibhor(dot)kumar(at)enterprisedb(dot)com> |
|---|---|
| To: | Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> |
| Cc: | Jon Smark <jon(dot)smark(at)yahoo(dot)com>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Passing a table as parameter |
| Date: | 2011-03-21 20:18:55 |
| Message-ID: | D049A134-963B-4482-8DC8-3D366C319E1C@enterprisedb.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Mar 22, 2011, at 1:32 AM, Pavel Stehule wrote:
> it can work too, but there is sql injection risk.
>
> Do newer 'SELECT ... FROM ' || tabname || ' ...
>
> Regards
>
> Pavel Stehule
Yes true. Same with the following too:
CREATE FUNCTION foo(tablename text)
RETURNS SETOF text AS $$
BEGIN
RETURN QUERY EXECUTE 'SELECT content FROM ' || quote_ident(tablename);
END;
$$ LANGUAGE plpgsql;
To prevent from sql injection user can try with SQL Protect:
http://www.enterprisedb.com/docs/en/9.0/sqlprotect/Table%20of%20Contents.htm
Thanks & Regards,
Vibhor Kumar
EnterpriseDB Corporation
The Enterprise PostgreSQL Company
vibhor(dot)kumar(at)enterprisedb(dot)com
Blog:http://vibhork.blogspot.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Pavel Stehule | 2011-03-21 20:22:28 | Re: Passing a table as parameter |
| Previous Message | Aljoša Mohorović | 2011-03-21 20:09:35 | Re: postgres conferences missing videos? |