Re: Passing a table as parameter

On Mar 22, 2011, at 1:52 AM, Pavel Stehule wrote:

> simply thinks as using USAGE clause or functions quote_ident,
> quote_literal are faster and absolutly secure :). Software like SQL

I don't think usage of quote_ident in current requirement of user, would prevent sql injection.
Running sql multiple times, someone can guess the tabename which can give data:
ERROR:  relation "am" does not exist
LINE 1: SELECT content FROM am ^QUERY:  SELECT content FROM amCONTEXT:  PL/pgSQL function "foo" line 2 at RETURN QUERY

SQL Protect will make above message something like given below:
ERROR:  SQLPROTECT: Illegal Query: relations

Which stops user guessing relation.

Thanks & Regards,
Vibhor Kumar
EnterpriseDB Corporation
The Enterprise PostgreSQL Company
vibhor.kumar@enterprisedb.com
Blog:http://vibhork.blogspot.com