2011/3/21 Vibhor Kumar <vibhor.kumar@xxxxxxxxxxxxxxxx>: > > On Mar 22, 2011, at 1:32 AM, Pavel Stehule wrote: > >> it can work too, but there is sql injection risk. >> >> Do newer 'SELECT ... FROM ' || tabname || ' ... >> >> Regards >> >> Pavel Stehule > > Yes true. Same with the following too: > CREATE FUNCTION foo(tablename text) > RETURNS SETOF text AS $$ > BEGIN > RETURN QUERY EXECUTE 'SELECT content FROM ' || quote_ident(tablename); > END; > $$ LANGUAGE plpgsql; > > To prevent from sql injection user can try with SQL Protect: > http://www.enterprisedb.com/docs/en/9.0/sqlprotect/Table%20of%20Contents.htm > simply thinks as using USAGE clause or functions quote_ident, quote_literal are faster and absolutly secure :). Software like SQL Protect is good for old unsecured applications but better do development well. Regards Pavel Stehule > Thanks & Regards, > Vibhor Kumar > EnterpriseDB Corporation > The Enterprise PostgreSQL Company > vibhor.kumar@xxxxxxxxxxxxxxxx > Blog:http://vibhork.blogspot.com > > -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
