Re: RfD: more powerful "any" types

2009/9/14 decibel <decibel@decibel.org>:
> On Sep 14, 2009, at 12:13 AM, Pavel Stehule wrote:
>>
>> 2009/9/13 decibel <decibel@decibel.org>:
>>>
>>> On Sep 12, 2009, at 5:54 PM, Andrew Dunstan wrote:
>>>>
>>>> decibel wrote:
>>>>>
>>>>> Speaking of concatenation...
>>>>>
>>>>> Something I find sorely missing in plpgsql is the ability to put
>>>>> variables inside of a string, ie:
>>>>>
>>>>> DECLARE
>>>>> v_table text := ...
>>>>> v_sql text;
>>>>> BEGIN
>>>>> v_sql := "SELECT * FROM $v_table";
>>>>>
>>>>> Of course, I'm assuming that if it was easy to do that it would be done
>>>>> already... but I thought I'd just throw it out there.
>>>>>
>>>>
>>>> Then use a language that supports variable interpolation in strings,
>>>> like
>>>> plperl, plpythonu, plruby .... instead of plpgsql.
>>>
>>>
>>> Which makes executing SQL much, much harder.
>>>
>>> At least if we get sprintf dealing with strings might become a bit
>>> easier...
>>
>> This feature is nice - but very dangerous - it the most easy way how
>> do vulnerable (on SQL injection) application!
>
>
> How is it any worse than what people can already do? Anyone who isn't aware
> of the dangers of SQL injection has already screwed themselves. You're
> basically arguing that they would put a variable inside of quotes, but they
> would never use ||.

simply - people use functions quote_literal or quote_ident.

regards
Pavel Stehule

> --
> Decibel!, aka Jim C. Nasby, Database Architect  decibel@decibel.org
> Give your computer some brain candy! www.distributed.net Team #1828
>
>
>