On Wed, 2023-06-21 at 11:00 +0200, Dominique Devienne wrote:
> For example with [NOTIFY][1]. The doc states:
>
> > Payload: This must be specified as a simple string literal
>
> Does that mean we cannot bind the payload?
> I.e. the pseudo code:
> ```
> conn.exec(bind(msg), "NOTIFY {} $1", conn.escapeName(channel));
> ```
> is invalid? And I must use instead
> ```
> conn.exec("NOTIFY {} {}", conn.escapeName(channel), conn.escapeLiteral(msg))`?
> ```
> I can try, of course, but could there be a obvious way to know what can and cannot be bound, just from the doc?
>
> That would make it easier to deal with SQL injection to be able to bind for example.
> And knowing what can be bound would be useful.
This is not adequately documented.
The documentation for PREPARE says:
Any SELECT, INSERT, UPDATE, DELETE, MERGE, or VALUES statement.
so NOTIFY is not supported. However, you need some inside knowledge to know
that what you are running is an "unnamed prepared statement" and that the limitation
stated in PREPARE applies.
Yours,
Laurenz Albe