On Mon, Sep 14, 2009 at 1:42 PM, Pavel Stehule <pavel.steh...@gmail.com> wrote:
>> How is it any worse than what people can already do? Anyone who isn't aware
>> of the dangers of SQL injection has already screwed themselves. You're
>> basically arguing that they would put a variable inside of quotes, but they
>> would never use ||.
>
> simply - people use functions quote_literal or quote_ident.
you still have use of those functions:
execute sprintf('select * from %s', quote_ident($1));
sprintf is no more or less dangerous than || operator.
merlin
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
