Home > mailing lists

Re: Protection from SQL injection - Mailing list pgsql-hackers

From	Tom Lane
Subject	Re: Protection from SQL injection
Date	April 30, 2008 17:28:26
Msg-id	20390.1209576499@sss.pgh.pa.us Whole thread Raw
In response to	Re: Protection from SQL injection ("Gurjeet Singh" <singh.gurjeet@gmail.com>)
Responses	Re: Protection from SQL injection ("Gurjeet Singh" <singh.gurjeet@gmail.com>)
List	pgsql-hackers

Tree view

"Gurjeet Singh" <singh.gurjeet@gmail.com> writes:
> Maybe we can extend the SQL's WITH clause do declare the constant along with
> the query, and not separate from the query.

> WITH CONSTANT c_jobrole = 'clerk', CONSTANT c_dept = 10
> SELECT * FROM emp WHERE jobrole = c_jobrole and deptno = c_dept;

[ scratches head... ]  And that will provide SQL injection protection how?

Anyway, you hardly need new syntax to do that, I'd expect
WITH SELECT 'clerk' AS c_jobrole ...

to accomplish it just fine.
        regards, tom lane

pgsql-hackers by date:

From: "Gurjeet Singh"
Date: 30 April 2008, 17:11:20
Subject: Re: Protection from SQL injection

From: "Gurjeet Singh"
Date: 30 April 2008, 17:38:01
Subject: Re: Protection from SQL injection

Re: Protection from SQL injection - Mailing list pgsql-hackers

Previous

Next