On Thu, Jul 28, 2011 at 8:08 AM, David Johnston <polobo@xxxxxxxxx> wrote: > At best, based upon the example using "current_timestamp()", you could only > mark it as being stable, right? > > Also not mentioned; what risk is there of this function being hacked? It > places the supplied data within a "SELECT (....) AS column_alias" structure > so it seems to be pretty safe but can you devise a string that would, say, > delete data or something similar. I would expect the following: '1); DELETE > FROM table; SELECT (2' to be dangerous. What functions would you use to > make the input string safe? Does "quote_literal()" plug this hole? I don't think the hole can be plugged. The point of the function is to execute arbitrary sql code. That means doing SQL injection purposely in the function. I don't think there is a way around it because SQL injection is specifically what is desired, Best Wishes, Chris Travers -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
