Hi all;
I have a bit of concern about writing applications which use Pgsql roles
for security.
Since the utility statements are not parameterized, the easiest way to
manage the roles in an application is to use stored procedures which
EXECUTE strings to create SQL queries. These EXECUTE statements
include user-supplied data, and since these would generally run with
some sort of administrative rights, I am worried about people doing
things like:
select * from add_user_to_role('username', 'rolename; drop table foo;');
Is this a problem? Is there a way to do this safely?
Best Wishes,
Chris Travers
