Re: Sanitize schema name
| От | Ludovic Gasc |
|---|---|
| Тема | Re: Sanitize schema name |
| Дата | |
| Msg-id | CAON-fpGiXspT=vDhVsDZuaT0ean6iawjq_vYtQfTiTRgX6QFWw@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: Sanitize schema name (Adrian Klaver <adrian.klaver@aklaver.com>) |
| Ответы |
Re: Sanitize schema name
|
| Список | psycopg |
2015-05-08 0:12 GMT+02:00 Adrian Klaver <adrian.klaver@aklaver.com>:
On 05/07/2015 01:06 PM, Ludovic Gasc wrote:Thanks all for your answers, you understand well my need.
About PQescapeIdentifier:
1. An idea of release date for the next version of psycopg2 ?
2. Are you sure it's enough to protect against SQL injections, because
you can read in the documentation: *Tip:* As with string literals, to
prevent SQL injection attacks, SQL identifiers must be escaped when they
are received from an untrustworthy source.
About format() it doesn't work for schema, example:
SELECT format('SELECT * FROM %I WHERE id=1', 'lg.devices')
=> SELECT * FROM "lg.devices" WHERE id=1
SELECT * FROM "lg.devices" WHERE id=1
=> ERROR: relation "lg.devices" does not exist
LIGNE 1 : SELECT * FROM "lg.devices" WHERE id=1
^
********** Error **********
ERROR: relation "lg.devices" does not exist
Try:
SELECT format('SELECT * FROM %I.%I WHERE id=1', 'lg', 'devices')
Ok, now, it works, but, I need to launch the query two times: First time with SELECT format(, a second time with the result of the first query.
It should be possible to execute that only in one pass ?
Still not sure why you cannot use search_path and avoid the schema qualification altogether?
Because I use a pool of pgsql sockets where no connexions are dedicated to one particular client.
I could change that each time just before to execute each query, but it shouldn't be very efficient.
--
Adrian Klaver
adrian.klaver@aklaver.com
В списке psycopg по дате отправления: