On Mon, Feb 5, 2018 at 2:26 AM, Ashesh Vashi
wrote:
> On Mon, Feb 5, 2018 at 1:35 AM, Dave Page wrote:
>
>> Hi
>>
>> On 4 Feb 2018, at 18:07, Ashesh Vashi
>> wrote:
>>
>> Hi Dave,
>>
>> There is a possibility of SQL Injection (if we don't use qtLiteral.
>> We need some kind of check for this.
>
On Mon, Feb 5, 2018 at 1:35 AM, Dave Page wrote:
> Hi
>
> On 4 Feb 2018, at 18:07, Ashesh Vashi
> wrote:
>
> Hi Dave,
>
> There is a possibility of SQL Injection (if we don't use qtLiteral.
> We need some kind of check for this.
>
> What do you say?
>
>
> The user is already logged in, and could
Hi
> On 4 Feb 2018, at 18:07, Ashesh Vashi wrote:
>
> Hi Dave,
>
> There is a possibility of SQL Injection (if we don't use qtLiteral.
> We need some kind of check for this.
>
> What do you say?
The user is already logged in, and could run the query tool anyway to do
anything their privilege
Don't quote variable values used by SET. It's usually going to be wrong. Fixes
#3027
Branch
--
master
Details
---
https://git.postgresql.org/gitweb?p=pgadmin4.git;a=commitdiff;h=4d69764869bf9d1731d61d15a290388d5bd0f789
Modified Files
--
.../databases/schemas/templates/macros
