Re: [HACKERS] PQescapeIdentifier
Christopher Kings-Lynne <chriskl@familyhealth.com.au>
From: Christopher Kings-Lynne <chriskl@familyhealth.com.au>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Bruce Momjian <bruce@momjian.us>, PostgreSQL-patches <pgsql-patches@postgresql.org>
Date: 2006-06-27T02:43:24Z
Lists: pgsql-hackers
>> I thought of that but I assume we were not accepting user-supplied >> identifiers for this --- that this was only for application use. Am I >> wrong? Well, yes the plan was to accept user-supplied identifiers... > If you insist on a practical example, I can certainly imagine someone > thinking it'd be cool to allow searches on a user-selected column, and > implementing that by passing the user-given column name straight into > the query with only PQescapeIdentifier for safety. Yes, phpPgAdmin sure would. I imagine this would be a nightmare to address properly, so perhaps we should remove the function :(