Bart Friederichs
Reputation: 33511
How to cast column name to prevent SQL injection?
When defining EXECUTE in a PostgreSQL function, I can cast tables names to ::regclass to make sure they are valid relation names. Now, I want to extend that to column names, but I cannot find the right type for that.
My code:
...
BEGIN
EXECUTE '
UPDATE ' || tbl::regclass || ' SET ' || col || '=someVal WHERE idcol=id
';
END;
...
What to put after col to cast it to a column name?
Upvotes: 0
Views: 201
Answers (1)
Related Questions
- PostgreSQL - How call a procedure with a varchar parameter
- PostgreSQL Dollar-Quoted Strings Constants to Prevent SQL Injection
- Stored Procedure Error Message - adding explicit type casts?
- Prevent SQL Injection in Dynamic column names
- Do we need to sanitize data when a stored procedure is used?
- Pass column name to a function
- Dynamically create column name postgresql
- PostgreSQL Stored Procedures with text as parameters
- How to pass object (table or column) names into a stored procedure
- how to prevent SQL Injection