On Wed, Oct 31, 2012 at 1:23 PM, Shai Berger <[email protected]> wrote: > This, almost worthy of being called an sql injection, can't be the right way > to achieve the goal. In fact, the Oracle backend (or even some higher, more > generic level) should have doubled those '"' characters to make them part of > the name. But -- save length issues -- the ploy succeeds:
In fact, Oracle table names are not allowed to contain double quote characters at all. Doubling them does not change this. Per the Oracle naming rules: Nonquoted identifiers can contain only alphanumeric characters from your > database character set and the underscore (_), dollar sign ($), and pound > sign (#). Database links can also contain periods (.) and "at" signs (@). > Oracle strongly discourages you from using $ and # in nonquoted identifiers. > > Quoted identifiers can contain any characters and punctuations marks as > well as spaces. *However, neither quoted nor nonquoted identifiers can > contain double quotation marks* or the null character (\0). > Cheers, Ian -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
