On Mon, Sep 14, 2009 at 1:42 PM, Pavel Stehule <pavel.steh...@gmail.com> wrote: >> How is it any worse than what people can already do? Anyone who isn't aware >> of the dangers of SQL injection has already screwed themselves. You're >> basically arguing that they would put a variable inside of quotes, but they >> would never use ||. > > simply - people use functions quote_literal or quote_ident.
you still have use of those functions: execute sprintf('select * from %s', quote_ident($1)); sprintf is no more or less dangerous than || operator. merlin -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers