Home > mailing lists

Re: Preventing SQL Injection in PL/pgSQL in psql - Mailing list pgsql-general

From	Tom Lane
Subject	Re: Preventing SQL Injection in PL/pgSQL in psql
Date	May 10, 2006 04:37:32
Msg-id	26269.1147235839@sss.pgh.pa.us Whole thread Raw
In response to	Re: Preventing SQL Injection in PL/pgSQL in psql ("Merlin Moncure" <mmoncure@gmail.com>)
List	pgsql-general

Tree view

"Merlin Moncure" <mmoncure@gmail.com> writes:
> On 9 May 2006 17:04:31 -0700, Karen Hill <karen_hill22@yahoo.com> wrote:
>> Is my understanding correct that the following is vulnerable to SQL
>> injection in psql:
> ...
> no, IMO this is the safest and best option.

Neither of the options that Karen shows are dangerous.  What would be
dangerous is building a SQL command string and feeding it to EXECUTE
*without* using quote_literal.

I agree with Merlin that you shouldn't use EXECUTE unless you have to
--- it's both much slower than a precompiled statement, and much more
vulnerable to security mistakes.

            regards, tom lane

pgsql-general by date:

From: John DeSoi
Date: 10 May 2006, 04:29:33
Subject: Re: What's wrong with this SQL?

From: Greg Stark
Date: 10 May 2006, 04:41:35
Subject: Re: Arguments Pro/Contra Software Raid

Re: Preventing SQL Injection in PL/pgSQL in psql - Mailing list pgsql-general

Previous

Next