On Thu, 6 Feb 2003, Yaniv Hamo wrote:
> I noticed that Postgres issues a fatal error when given a quoted name of
> table or column. This is a problem in secured cgi scripts, which quote
> everything they get from the user, to avoid malicious users from trying to
> execute SQL commands using some engineered input.
>
>
> shared# select version();
> version
> ---------------------------------------------------------------------
> PostgreSQL 7.3.1 on i686-pc-linux-gnu, compiled by GCC egcs-2.91.66
>
>
> shared# CREATE TABLE 'testtable' ('test' INT);
> ERROR: parser: parse error at or near "'testtable'" at character 14
I don't believe that's a valid query. For delimiting identifieres I think
you want double quotes not single quotes.
---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])
