Re: Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal

Tom Lane writes:

> My feeling is that the name-based variants of has_table_privilege should
> perform downcasing and truncation of the supplied strings before trying
> to use them as tablename or username; see get_seq_name in
> backend/commands/sequence.c for a model.

I don't like this approach.  It's ugly, non-intuitive, and inconvenient.

Since these functions will primarily be used in building a sort of
information schema and for querying system catalogs, we should use the
approach that is or will be used there:  character type values contain the
table name already case-adjusted.  Imagine the pain we would have to go
through to *re-quote* the names we get from the system catalogs and
information schema components before passing them to this function.

-- 
Peter Eisentraut   peter_e@gmx.net   http://funkturm.homeip.net/~peter