Is there any known way to inject SQL into a function similar to this? create function testinjection(text,integer) returns void as $BODY$ declare begin execute 'update '||quote_ident($1)||' set c=null where id='||$2; return; end; $BODY$ language 'plpgsql' volatile security definer; grant execute on function testinjection(text,integer) to public;
- [GENERAL] PL/pgSQL EXECUTE quote_ident(), and SQL injection Knut P. Lehre
- Re: [GENERAL] PL/pgSQL EXECUTE quote_ident(), and SQL i... Knut P. Lehre
- Re: [GENERAL] PL/pgSQL EXECUTE quote_ident(), and S... Pavel Stehule
