reductionista commented on issue #452: DL: Remove quote_ident to allow tables on schemas URL: https://github.com/apache/madlib/pull/452#issuecomment-544652681 > I have added a test with a special character in table name. > I am not sure if we actually have a sql injection risk in this case. The very first case these user-defined strings get used in a sql query is in the table exists function. There, we put the string in quotes before checking against pg_namespace. Since it is treated as a string, not a sql command, I think the check will fail before we execute anything else. Adding quotes manually will allow it to work with table names that have spaces, tabs, or capital letters in their name. But it won't help guard against SQL injection, which usually works by the attacker ending the quotes and then inserting a command, then starting the quotes again later. I think this is the main reason for the existence of the `quote_ident` function, since just using quotes would work to handle most other cases. It also allows table names to have quotes in them, which doesn't work with manual quoting--but that's a fairly obscure use case that doesn't seem important to support.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
