thevar1able/ClickHouse
1
0
Fork 0
mirror of https://github.com/ClickHouse/ClickHouse.git synced 2024-11-22 15:42:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix potential (safe) SQL-injection

Browse Source
This commit is contained in:
Alexey Milovidov 2021-01-16 11:15:43 +03:00
parent 31593e2000
commit 45380d45c8
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/Databases/PostgreSQL/DatabasePostgreSQL.cpp
View File

@ -99,6 +99,13 @@ std::unordered_set<std::string> DatabasePostgreSQL::fetchTablesList() const
bool DatabasePostgreSQL::checkPostgresTable(const String & table_name) const
{
if (table_name.find('\'') != std::string::npos
|| table_name.find('\\') != std::string::npos)
{
throw Exception(ErrorCodes::BAD_ARGUMENTS,
"PostgreSQL table name cannot contain single quote or backslash characters, passed {}", table_name);
}
pqxx::nontransaction tx(*connection->conn());
try