Re: eval function

On Thu, Jul 28, 2011 at 8:08 AM, David Johnston <polobo@yahoo.com> wrote:

> At best, based upon the example using "current_timestamp()", you could only
> mark it as being stable, right?
>
> Also not mentioned; what risk is there of this function being hacked?  It
> places the supplied data within a "SELECT  (....) AS column_alias" structure
> so it seems to be pretty safe but can you devise a string that would, say,
> delete data or something similar.  I would expect the following: '1); DELETE
> FROM table; SELECT (2' to be dangerous.  What functions would you use to
> make the input string safe?  Does "quote_literal()" plug this hole?

I don't think the hole can be plugged.  The point of the function is
to execute arbitrary sql code.  That means doing SQL injection
purposely in the function.  I don't think there is a way around it
because SQL injection is specifically what is desired,

Best Wishes,
Chris Travers