I'm trying to make an SQL injection in my own function in PostgreSQL 13

0 votes

2 answers

424 views

postgresql functions plpgsql sql-injection

Just for learning purposes, I'm trying to create a function using PLPGSQL and make an SQL injection on it. I recently learned about format, USING and quote_literal and quote_indent, so I'm good about avoiding an SQL injection. What I'm trying to do is create a function that allows an SQL injection (i.e. a drop table). So I wrote this:

create or replace function badfunc(tablename text, identifier int4)
returns setof character varying as $$
declare
    query text;
begin
    query := 'select full_name from ' || $1 || ' where re = ' || $2 ||'';
    raise notice 'query: %', query;
    return query execute query;
end;
$$ language 'plpgsql';

But when I execute this function with select badfunc('; drop table tb_students;', 1001); I get this error:

ERROR: syntax error at or near ";" where: function PL/pgSQL badfunc(text,integer) linha 7 in RETURN QUERY

So I think that's not how it is done. How can I achieve this SQL injection?

Asked by André Carvalho (136 rep)

Mar 11, 2022, 12:53 PM
Last activity: Mar 11, 2022, 05:51 PM

I'm trying to make an SQL injection in my own function in PostgreSQL 13

Related Questions