On Mar 22, 2011, at 1:52 AM, Pavel Stehule wrote: > simply thinks as using USAGE clause or functions quote_ident, > quote_literal are faster and absolutly secure :). Software like SQL
I don't think usage of quote_ident in current requirement of user, would prevent sql injection. Running sql multiple times, someone can guess the tabename which can give data: ERROR: relation "am" does not exist LINE 1: SELECT content FROM am ^QUERY: SELECT content FROM amCONTEXT: PL/pgSQL function "foo" line 2 at RETURN QUERY SQL Protect will make above message something like given below: ERROR: SQLPROTECT: Illegal Query: relations Which stops user guessing relation. Thanks & Regards, Vibhor Kumar EnterpriseDB Corporation The Enterprise PostgreSQL Company vibhor.ku...@enterprisedb.com Blog:http://vibhork.blogspot.com -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
