Home > mailing lists

Preventing SQL Injection in PL/pgSQL in psql - Mailing list pgsql-general

From	Karen Hill
Subject	Preventing SQL Injection in PL/pgSQL in psql
Date	May 10, 2006 00:04:52
Msg-id	1147219471.500510.248860@i40g2000cwc.googlegroups.com Whole thread Raw
Responses	Re: Preventing SQL Injection in PL/pgSQL in psql
List	pgsql-general

Tree view

Is my understanding correct that the following is vulnerable to SQL
injection in psql:

CREATE OR REPLACE FUNCTION fx ( my_var bchar)
RETURNS void AS
$$
BEGIN
INSERT INTO fx VALUES ( my_var ) ;
END;
$$
LANGUAGE 'plpgsql' VOLATILE

Where this is NOT subject to SQL injection:

CREATE OR REPLACE FUNCTION fx ( my_var bpchar)
RETURNS void AS
$$
BEGIN
EXECUTE ' INSERT INTO fx VALUES ( ' || quote_literal( my_var) || ' ); '
END;
$$ LANGUAGE 'plpgsql' VOLATILE


Is this understanding correct?

pgsql-general by date:

From: "Ed L."
Date: 09 May 2006, 23:07:44
Subject: Re: InitBufferPoolAccess crash

From: "Merlin Moncure"
Date: 10 May 2006, 00:27:20
Subject: Re: Preventing SQL Injection in PL/pgSQL in psql

Preventing SQL Injection in PL/pgSQL in psql - Mailing list pgsql-general

Previous

Next