undefine do not escape function name parameter (just use plain %s format specifier) which can lead to SQL injection if non-trusted user can create custom functions like this: select define('f ''; drop table innocent; --', '1');
sqlean must use dedicated %q and %wspecifiers which automatically duplicate single(')/double quote(") in order to avoid such issues.
Context
undefine
do not escape function name parameter (just use plain%s
format specifier) which can lead to SQL injection if non-trusted user can create custom functions like this:select define('f ''; drop table innocent; --', '1');
sqlean
must use dedicated%q
and%w
specifiers which automatically duplicate single(')/double quote(") in order to avoid such issues.