Re: Passing a table as parameter
| От | Pavel Stehule |
|---|---|
| Тема | Re: Passing a table as parameter |
| Дата | |
| Msg-id | AANLkTimm=VuXU785MGnLO3p=Kv6-oOHhWqgynYmvjW0V@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: Passing a table as parameter (Vibhor Kumar <vibhor.kumar@enterprisedb.com>) |
| Ответы |
Re: Passing a table as parameter
|
| Список | pgsql-general |
2011/3/21 Vibhor Kumar <vibhor.kumar@enterprisedb.com>: > > On Mar 22, 2011, at 1:32 AM, Pavel Stehule wrote: > >> it can work too, but there is sql injection risk. >> >> Do newer 'SELECT ... FROM ' || tabname || ' ... >> >> Regards >> >> Pavel Stehule > > Yes true. Same with the following too: > CREATE FUNCTION foo(tablename text) > RETURNS SETOF text AS $$ > BEGIN > RETURN QUERY EXECUTE 'SELECT content FROM ' || quote_ident(tablename); > END; > $$ LANGUAGE plpgsql; > > To prevent from sql injection user can try with SQL Protect: > http://www.enterprisedb.com/docs/en/9.0/sqlprotect/Table%20of%20Contents.htm > simply thinks as using USAGE clause or functions quote_ident, quote_literal are faster and absolutly secure :). Software like SQL Protect is good for old unsecured applications but better do development well. Regards Pavel Stehule > Thanks & Regards, > Vibhor Kumar > EnterpriseDB Corporation > The Enterprise PostgreSQL Company > vibhor.kumar@enterprisedb.com > Blog:http://vibhork.blogspot.com > >
В списке pgsql-general по дате отправления: