Home > mailing lists

Re: binds only for s,u,i,d? - Mailing list pgsql-hackers

From	Neil Conway
Subject	Re: binds only for s,u,i,d?
Date	July 5, 2006 21:30:53
Msg-id	1152133336.5466.8.camel@localhost Whole thread Raw
In response to	binds only for s,u,i,d? (Agent M <agentm@themactionfaction.com>)
List	pgsql-hackers

Tree view

On Wed, 2006-07-05 at 06:55 -0400, Agent M wrote:
> Like you said, it would make sense to have binds anywhere where there 
> are quoted strings- if only for anti-injection. There could be a "flat" 
> plan which simply did the string substitution with the proper escaping 
> at execute time.

I don't see the point of implementing this in the backend. Perhaps what
you're really asking for is basically PQescapeIdentifier()?

> Escaping vulnerabilities would then be taken care of by server updates.

Escaping vulnerabilities are hardly the common case; in any case,
implementing this in libpq would allow a similar upgrade path.

-Neil

pgsql-hackers by date:

From: Martijn van Oosterhout
Date: 05 July 2006, 20:02:42
Subject: Re: Scan Keys

From: Chris Campbell
Date: 06 July 2006, 00:06:18
Subject: Re: lastval exposes information that currval does not

Re: binds only for s,u,i,d? - Mailing list pgsql-hackers

Previous

Next