2009/9/14 Merlin Moncure <mmonc...@gmail.com>:
> On Mon, Sep 14, 2009 at 1:42 PM, Pavel Stehule <pavel.steh...@gmail.com>
> wrote:
>>> How is it any worse than what people can already do? Anyone who isn't aware
>>> of the dangers of SQL injection has already screwed themselves. You're
>>> basically arguing that they would put a variable inside of quotes, but they
>>> would never use ||.
>>
>> simply - people use functions quote_literal or quote_ident.
>
> you still have use of those functions:
> execute sprintf('select * from %s', quote_ident($1));
>
> sprintf is no more or less dangerous than || operator.
sure. I commented different feature
some := 'select * from $1'
regards
Pavel
p.s. In this case, I am not sure what is more readable:
execute 'select * from ' || quote_ident($1)
is readable well too.
>
> merlin
>
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
