Re: Sanitize schema name

On 05/07/2015 01:06 PM, Ludovic Gasc wrote:
> Thanks all for your answers, you understand well my need.
>
> About PQescapeIdentifier:
> 1. An idea of release date for the next version of psycopg2 ?
> 2. Are you sure it's enough to protect against SQL injections, because
> you can read in the documentation: *Tip:* As with string literals, to
> prevent SQL injection attacks, SQL identifiers must be escaped when they
> are received from an untrustworthy source.
>
> About format() it doesn't work for schema, example:
> SELECT format('SELECT * FROM %I WHERE id=1', 'lg.devices')
> => SELECT * FROM "lg.devices" WHERE id=1
> SELECT * FROM "lg.devices" WHERE id=1
> => ERROR:  relation "lg.devices" does not exist
> LIGNE 1 : SELECT * FROM "lg.devices" WHERE id=1
>                          ^
>
> ********** Error **********
>
> ERROR: relation "lg.devices" does not exist
>

Try:

SELECT format('SELECT * FROM %I.%I WHERE id=1', 'lg', 'devices')


Still not sure why you cannot use search_path and avoid the schema
qualification altogether?

--
Adrian Klaver
adrian.klaver@aklaver.com