You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Also delimit variables that contain schema names or function names or other identifiers when you concatenate them into dynamic SQL. PostgreSQL uses double-quotes as the identifier delimiter.
Remember to check for the variable's content for literal double-quote characters, and replace them with two double-quotes. You might think no one would be silly enough to use literal double-quote characters in their identifiers, but they do. Just as they use reserved keywords or whitespace or punctuation in their identifiers. Any of these cases would break the line of code you linked to.
It doesn't have to be a malicious SQL injection attack, it can just be that some developer naively named their function "my function" (with a space).
For instance, the string args are wrapper into single quotes that is a backdoor for SQL injections:
https://github.com/dmagda/pg-compute-node/blob/main/compute/pg_compute.js#L208
Review other places for potential vulnerabilities.
The text was updated successfully, but these errors were encountered: