On Mar 22, 2011, at 1:32 AM, Pavel Stehule wrote: > it can work too, but there is sql injection risk. > > Do newer 'SELECT ... FROM ' || tabname || ' ... > > Regards > > Pavel Stehule
Yes true. Same with the following too: CREATE FUNCTION foo(tablename text) RETURNS SETOF text AS $$ BEGIN RETURN QUERY EXECUTE 'SELECT content FROM ' || quote_ident(tablename); END; $$ LANGUAGE plpgsql; To prevent from sql injection user can try with SQL Protect: http://www.enterprisedb.com/docs/en/9.0/sqlprotect/Table%20of%20Contents.htm Thanks & Regards, Vibhor Kumar EnterpriseDB Corporation The Enterprise PostgreSQL Company vibhor.ku...@enterprisedb.com Blog:http://vibhork.blogspot.com -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
