Re: libpq: What can and cannot be bound? How to know? - Mailing list pgsql-general

From Laurenz Albe
Subject Re: libpq: What can and cannot be bound? How to know?
Date
Msg-id 6454cf9a4599cc4983a26613612e110917243ed0.camel@cybertec.at
Whole thread Raw
In response to libpq: What can and cannot be bound? How to know?  (Dominique Devienne <ddevienne@gmail.com>)
Responses Re: libpq: What can and cannot be bound? How to know?
List pgsql-general
On Wed, 2023-06-21 at 11:00 +0200, Dominique Devienne wrote:
> For example with [NOTIFY][1]. The doc states:
>
> > Payload: This must be specified as a simple string literal
>
> Does that mean we cannot bind the payload?
> I.e. the pseudo code:
> ```
> conn.exec(bind(msg), "NOTIFY {} $1", conn.escapeName(channel));
> ```
>  is invalid? And I must use instead
> ```
> conn.exec("NOTIFY {} {}", conn.escapeName(channel), conn.escapeLiteral(msg))`?
> ```
> I can try, of course, but could there be a obvious way to know what can and cannot be bound, just from the doc?
>
> That would make it easier to deal with SQL injection to be able to bind for example.
> And knowing what can be bound would be useful.

This is not adequately documented.

The documentation for PREPARE says:

  Any SELECT, INSERT, UPDATE, DELETE, MERGE, or VALUES statement.

so NOTIFY is not supported.  However, you need some inside knowledge to know
that what you are running is an "unnamed prepared statement" and that the limitation
stated in PREPARE applies.

Yours,
Laurenz Albe



pgsql-general by date:

Previous
From: Tomas Vondra
Date:
Subject: Re: pb with join plan
Next
From: Dominique Devienne
Date:
Subject: Re: libpq: What can and cannot be bound? How to know?