Skip to content

Commit 8996199

Browse files
ringercringerc
committed
Merge pull request 2ndQuadrant#2 from 3nids/schemasafe
`text || regclass`, via the `regclass` to `text` cast, already quotes table identifiers where necessary. The `quote_ident` calls here are unnecessary, and in fact incorrect as they result in quotes that were part of the table quoting becoming part of the identifier name. Example: ``` create table "I will hack your');DROP TABLE student;--" ( haha integer ); SELECT '"I will hack your'');DROP TABLE student;--"'::regclass::oid; -- Produces oid 53060 here regress=> SELECT 'DROP TABLE ' || 53060::oid::regclass; ?column? ------------------------------------ DROP TABLE "I will + hack your');DROP TABLE student;--" (1 row) regress=> SELECT 'DROP TABLE ' || quote_ident(53060::oid::regclass::text); ?column? -------------------------------------- DROP TABLE """I will + hack your');DROP TABLE student;--""" (1 row) ```
2 parents 7a3fc20 + 7abe129 commit 8996199

File tree

1 file changed

+4
-4
lines changed

1 file changed

+4
-4
lines changed

audit.sql

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -184,15 +184,15 @@ DECLARE
184184
_q_txt text;
185185
_ignored_cols_snip text = '';
186186
BEGIN
187-
EXECUTE 'DROP TRIGGER IF EXISTS audit_trigger_row ON ' || quote_ident(target_table::text);
188-
EXECUTE 'DROP TRIGGER IF EXISTS audit_trigger_stm ON ' || quote_ident(target_table::text);
187+
EXECUTE 'DROP TRIGGER IF EXISTS audit_trigger_row ON ' || target_table;
188+
EXECUTE 'DROP TRIGGER IF EXISTS audit_trigger_stm ON ' || target_table;
189189

190190
IF audit_rows THEN
191191
IF array_length(ignored_cols,1) > 0 THEN
192192
_ignored_cols_snip = ', ' || quote_literal(ignored_cols);
193193
END IF;
194194
_q_txt = 'CREATE TRIGGER audit_trigger_row AFTER INSERT OR UPDATE OR DELETE ON ' ||
195-
quote_ident(target_table::text) ||
195+
target_table ||
196196
' FOR EACH ROW EXECUTE PROCEDURE audit.if_modified_func(' ||
197197
quote_literal(audit_query_text) || _ignored_cols_snip || ');';
198198
RAISE NOTICE '%',_q_txt;
@@ -202,7 +202,7 @@ BEGIN
202202
END IF;
203203

204204
_q_txt = 'CREATE TRIGGER audit_trigger_stm AFTER ' || stm_targets || ' ON ' ||
205-
quote_ident(target_table::text) ||
205+
target_table ||
206206
' FOR EACH STATEMENT EXECUTE PROCEDURE audit.if_modified_func('||
207207
quote_literal(audit_query_text) || ');';
208208
RAISE NOTICE '%',_q_txt;

0 commit comments

Comments
 (0)