There is no real danger of SQL injection here but its best to write it so tht if code gets copied or reused elsewhere it won't expose the code to this type of attack: The use of `quote_ident` and `quote_literal` are appropriate, but for maintenance and readability there are other techniques to use. So rather than this ```sql qry := 'SELECT id FROM ' || quote_ident(TG_TABLE_NAME) || ' WHERE id='; ``` use ```sql qry := FORMAT ('SELECT id FROM %I WHERE id=$1', TG_TABLE_NAME); ``` The `%I` inserts the `quote_ident` of the first parameter, and the `$1` is a placeholder for the first parameter on the EXECUTE. And then when you invoke it, rather than ```sql EXECUTE qry || quote_literal(key) INTO found; ``` use ```sql EXECUTE qry INTO found USING key; ``` Dynamic SQL generation is a powerful feature but being paranoid about preventing an injection attack is vital to writing secure code, especially when that code is visible on the intertubes and could be copy-and-pasted into someone else's code without the same care.
AI Analysis
This issue appears to be discussing a feature request or bug report related to the repository. Based on the content, it seems to be resolved. The issue was opened by mmauger and has received 1 comments.
Add a comment
Comment form would go here