2011/3/21 Vibhor Kumar <vibhor.kumar@enterprisedb.com>:
>
> On Mar 22, 2011, at 1:32 AM, Pavel Stehule wrote:
>
>> it can work too, but there is sql injection risk.
>>
>> Do newer 'SELECT ... FROM ' || tabname || ' ...
>>
>> Regards
>>
>> Pavel Stehule
>
> Yes true. Same with the following too:
> CREATE FUNCTION foo(tablename text)
> RETURNS SETOF text AS $$
> BEGIN
> RETURN QUERY EXECUTE 'SELECT content FROM ' || quote_ident(tablename);
> END;
> $$ LANGUAGE plpgsql;
>
> To prevent from sql injection user can try with SQL Protect:
> http://www.enterprisedb.com/docs/en/9.0/sqlprotect/Table%20of%20Contents.htm
>
simply thinks as using USAGE clause or functions quote_ident,
quote_literal are faster and absolutly secure :). Software like SQL
Protect is good for old unsecured applications but better do
development well.
Regards
Pavel Stehule
> Thanks & Regards,
> Vibhor Kumar
> EnterpriseDB Corporation
> The Enterprise PostgreSQL Company
> vibhor.kumar@enterprisedb.com
> Blog:http://vibhork.blogspot.com
>
>