Re: No parameters support in "create user"? - Mailing list pgsql-hackers

From Shachar Shemesh
Subject Re: No parameters support in "create user"?
Date
Msg-id 414F0C7D.4000306@shemesh.biz
Whole thread Raw
In response to Re: No parameters support in "create user"?  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: No parameters support in "create user"?
Re: No parameters support in "create user"?
List pgsql-hackers
Tom Lane wrote:

>Parameters are only supported in plannable statements
>(SELECT/INSERT/UPDATE/DELETE; I think there is some hack for DECLARE
>CURSOR these days too).
>  
>
That's a shame.

Aside from executing prepared statements, parameters are also useful for 
preventing SQL injections. Under those cases, they are useful for all 
commands, not only those that can be prepared.

Oh well. I'm not sure whether that's extremely clever or downright 
insane, but I'm solving this problem by calling "Select 
quote_literal($1)" and "select quote_id($1)", and then using the results.
         Shachar

-- 
Shachar Shemesh
Lingnu Open Source Consulting ltd.
http://www.lingnu.com/



pgsql-hackers by date:

Previous
From: Andrew Dunstan
Date:
Subject: Re: Export/Import existing database from Unix to Windows
Next
From: Tom Lane
Date:
Subject: Re: libpq and prepared statements progress for 8.0