orhankislal commented on issue #452: DL: Remove quote_ident to allow tables on schemas URL: https://github.com/apache/madlib/pull/452#issuecomment-544646689 I have added a test with a special character in table name. I am not sure if we actually have a sql injection risk in this case. The very first case these user-defined strings get used in a sql query is in the table exists function. There, we put the string in quotes before checking against pg_namespace. Since it is treated as a string, not a sql command, I think the check will fail before we execute anything else.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
