(insert usual "i don't have lot of hands on sql experience" here.)
i've got system that's responsible sending out fair amount of emails, , i'm adding functionality save records of each email, segregated recipient.
right i'm setting these email logs upsert table email being table name. right now, looks pg library node.js doesn't allow using table names part of prepared statement.
my question 2 fold, a) should concerned injection when able name based off of email address? , b) if so, how can around security concerns here?
example of how i'm handling currently:
function _upserttable(email, cb) { // normalize email address. var tablename = 'email."' + email.tolowercase() + '"'; client.query([ ("create table if not exists " + tablename), "(", "htmlmessage text,", "textmessage text,", "templateid character(24),", "files oid", ")" ].join(' '), cb); } // insert email record table function _recordemail(email, cb) { var tablename = 'email."' + email.tolowercase() + '"'; client.query([ 'insert ' + tablename, 'values (', '$1,', '$2,', '$3,', 'null', ')' ].join(' '), [html, text, templateid], cb); } edit:
i point out horrible idea in retrospect, , urge others not take approach if considering doing same. please read comments see why bad idea.
prepared statement parameter substitution works data portions of statement, not places sql schema objects referenced.
you can build adequate amount of escaping , quoting, suggest don't.
a better way restore data describing on 1 table email address being column. possibly separate email addresses separate table , point them integer id save space.
Comments
Post a Comment