Re: Passing a table as parameter

On Mar 22, 2011, at 1:32 AM, Pavel Stehule wrote:

> it can work too, but there is sql injection risk.
>
> Do newer 'SELECT ... FROM ' || tabname || ' ...
>
> Regards
>
> Pavel Stehule

Yes true. Same with the following too:
CREATE FUNCTION foo(tablename text)
RETURNS SETOF text AS $$
BEGIN
RETURN QUERY EXECUTE 'SELECT content FROM ' || quote_ident(tablename);
END;
$$ LANGUAGE plpgsql;

To prevent from sql injection user can try with SQL Protect:
http://www.enterprisedb.com/docs/en/9.0/sqlprotect/Table%20of%20Contents.htm

Thanks & Regards,
Vibhor Kumar
EnterpriseDB Corporation
The Enterprise PostgreSQL Company
vibhor.kumar@enterprisedb.com
Blog:http://vibhork.blogspot.com