Re: PL/pgSQL EXECUTE quote_ident(), and SQL injection
| От | Knut P. Lehre |
|---|---|
| Тема | Re: PL/pgSQL EXECUTE quote_ident(), and SQL injection |
| Дата | |
| Msg-id | fbb5bdf644be6.4a44c17c@broadpark.no обсуждение исходный текст |
| Ответ на | PL/pgSQL EXECUTE quote_ident(), and SQL injection ("Knut P. Lehre" <knutpl@broadpark.no>) |
| Ответы |
Re: PL/pgSQL EXECUTE quote_ident(), and SQL injection
|
| Список | pgsql-general |
Since this stripped down example function looks a bit meaningless, I'd like to rephrase the question to make it more clear: Does quote_ident() prevent all ways of trying to inject SQL into $1 so that the testinjection function cannot be used to do anything else than setting column c to null in an existing table?
----- Original Message -----
> Is there any known way to inject SQL into a function similar to this?
>
> create function testinjection(text,integer)
> returns void as
> $BODY$
> declare
> begin
> execute 'update '||quote_ident($1)||' set c=null where id='||$2;
> return;
> end;
> $BODY$
> language 'plpgsql' volatile security definer;
> grant execute on function testinjection(text,integer) to public;
>
----- Original Message -----
> Is there any known way to inject SQL into a function similar to this?
>
> create function testinjection(text,integer)
> returns void as
> $BODY$
> declare
> begin
> execute 'update '||quote_ident($1)||' set c=null where id='||$2;
> return;
> end;
> $BODY$
> language 'plpgsql' volatile security definer;
> grant execute on function testinjection(text,integer) to public;
>
В списке pgsql-general по дате отправления: