You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@madlib.apache.org by GitBox <gi...@apache.org> on 2019/10/21 18:45:22 UTC
[GitHub] [madlib] reductionista commented on issue #452: DL: Remove
quote_ident to allow tables on schemas
reductionista commented on issue #452: DL: Remove quote_ident to allow tables on schemas
URL: https://github.com/apache/madlib/pull/452#issuecomment-544652681
> I have added a test with a special character in table name.
> I am not sure if we actually have a sql injection risk in this case. The very first case these user-defined strings get used in a sql query is in the table exists function. There, we put the string in quotes before checking against pg_namespace. Since it is treated as a string, not a sql command, I think the check will fail before we execute anything else.
Adding quotes manually will allow it to work with table names that have spaces, tabs, or capital letters in their name. But it won't help guard against SQL injection, which usually works by the attacker ending the quotes and then inserting a command, then starting the quotes again later. I think this is the main reason for the existence of the `quote_ident` function, since just using quotes would work to handle most other cases. It also allows table names to have quotes in them, which doesn't work with manual quoting--but that's a fairly obscure use case that doesn't seem important to support.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services