Search Postgresql Archives

PL/pgSQL EXECUTE quote_ident(), and SQL injection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: pgsql-general@xxxxxxxxxxxxxx
Subject: PL/pgSQL EXECUTE quote_ident(), and SQL injection
From: "Knut P. Lehre" <knutpl@xxxxxxxxxxxx>
Date: Fri, 26 Jun 2009 10:26:40 +0200

Is there any known way to inject SQL into a function similar to this?

create function testinjection(text,integer)
returns void as
$BODY$
declare
begin
execute 'update '||quote_ident($1)||' set c=null where id='||$2;
return;
end;
$BODY$
language 'plpgsql' volatile security definer;
grant execute on function testinjection(text,integer) to public;

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Follow-Ups:
- Re: PL/pgSQL EXECUTE quote_ident(), and SQL injection
  - From: Knut P. Lehre

Prev by Date: Re: masking the code
Next by Date: Re: Trigger Function and backup
Previous by thread: masking the code
Next by thread: Re: PL/pgSQL EXECUTE quote_ident(), and SQL injection
Index(es):
- Date
- Thread

[Index of Archives] [Postgresql Jobs] [Postgresql Admin] [Postgresql Performance] [Linux Clusters] [PHP Home] [PHP on Windows] [Kernel Newbies] [PHP Classes] [PHP Books] [PHP Databases] [Postgresql & PHP] [Yosemite]

Powered by Linux