Home > mailing lists

Re: ToDo: support for parameters in EXECUTE statement - Mailing list pgsql-hackers

From	Heikki Linnakangas
Subject	Re: ToDo: support for parameters in EXECUTE statement
Date	January 19, 2011 09:59:29
Msg-id	4D36C401.8060007@enterprisedb.com Whole thread Raw
In response to	ToDo: support for parameters in EXECUTE statement (Pavel Stehule <pavel.stehule@gmail.com>)
Responses	Re: ToDo: support for parameters in EXECUTE statement (Pavel Stehule <pavel.stehule@gmail.com>)
List	pgsql-hackers

Tree view

On 19.01.2011 12:53, Pavel Stehule wrote:
> The EXECUTE statement doesn't support a parametrization via
> SPI_execute_with_args call and PQexecParams too. It can be a security
> issue. If somebody use a prepared statement as protection to sql
> injection, then all security goes out, because he has to call EXECUTE
> without parametrization.

Why don't you use SPI_prepare and SPI_open_query ?

--   Heikki Linnakangas  EnterpriseDB   http://www.enterprisedb.com

pgsql-hackers by date:

From: Hitoshi Harada
Date: 19 January 2011, 09:56:39
Subject: Re: pl/python refactoring

From: Pavel Stehule
Date: 19 January 2011, 10:54:58
Subject: Re: ToDo: support for parameters in EXECUTE statement

Re: ToDo: support for parameters in EXECUTE statement - Mailing list pgsql-hackers

Previous

Next