I thought of that but I assume we were not accepting user-supplied
identifiers for this --- that this was only for application use.  Am I
wrong?

Well, yes the plan was to accept user-supplied identifiers...

If you insist on a practical example, I can certainly imagine someone
thinking it'd be cool to allow searches on a user-selected column, and
implementing that by passing the user-given column name straight into
the query with only PQescapeIdentifier for safety.

Yes, phpPgAdmin sure would. I imagine this would be a nightmare to address properly, so perhaps we should remove the function :(


---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend

Reply via email to