Re: [HACKERS] PQescapeIdentifier

Christopher Kings-Lynne <chriskl@familyhealth.com.au>

From: Christopher Kings-Lynne <chriskl@familyhealth.com.au>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Bruce Momjian <bruce@momjian.us>, PostgreSQL-patches <pgsql-patches@postgresql.org>
Date: 2006-06-27T02:43:24Z
Lists: pgsql-hackers
>> I thought of that but I assume we were not accepting user-supplied
>> identifiers for this --- that this was only for application use.  Am I
>> wrong?

Well, yes the plan was to accept user-supplied identifiers...

> If you insist on a practical example, I can certainly imagine someone
> thinking it'd be cool to allow searches on a user-selected column, and
> implementing that by passing the user-given column name straight into
> the query with only PQescapeIdentifier for safety.

Yes, phpPgAdmin sure would.  I imagine this would be a nightmare to 
address properly, so perhaps we should remove the function :(