On Sep 14, 2009, at 1:02 PM, Pavel Stehule wrote:
> 2009/9/14 Merlin Moncure <mmoncure@gmail.com>:
>> On Mon, Sep 14, 2009 at 1:42 PM, Pavel Stehule
>> <pavel.stehule@gmail.com> wrote:
>>>> How is it any worse than what people can already do? Anyone who
>>>> isn't aware
>>>> of the dangers of SQL injection has already screwed themselves.
>>>> You're
>>>> basically arguing that they would put a variable inside of
>>>> quotes, but they
>>>> would never use ||.
>>>
>>> simply - people use functions quote_literal or quote_ident.
>>
>> you still have use of those functions:
>> execute sprintf('select * from %s', quote_ident($1));
>>
>> sprintf is no more or less dangerous than || operator.
>
> sure. I commented different feature
>
> some := 'select * from $1'
>
> regards
> Pavel
>
> p.s. In this case, I am not sure what is more readable:
>
> execute 'select * from ' || quote_ident($1)
>
> is readable well too.
Ahh... the problem is one of fixating on an example instead of the
overall use case.
More examples...
RETURN 'Your account is now $days_overdue days overdue. Please
contact your account manager ($manager_name) to ...';
And an example of how readability would certainly be improved...
sql := $$INSERT INTO cnu_stats.$$ || v_field_name || $$( $$ ||
v_field_name || $$ ) SELECT DISTINCT $$ || v_field_name || $$ FROM chunk t WHERE NOT EXISTS( SELECT *
FROMcnu_stats.$$ || v_field_name
|| $$ s WHERE s.$$ || v_field_name || $$ = t.$$ || v_field_name || $$ )$$
becomes
sql := $$INSERT INTO cnu_stats.${v_field_name} ( ${v_field_name} ) SELECT DISTINCT $v_field_name FROM chunk t
WHERE NOT EXISTS( SELECT * FROM cnu_stats.${v_field_name} s WHERE s.${v_field_name}
=t.$
{v_field_name} )$$
Granted, that example wouldn't be too bad with sprintf, but only
because everything is referencing the same field.
--
Decibel!, aka Jim C. Nasby, Database Architect decibel@decibel.org
Give your computer some brain candy! www.distributed.net Team #1828