"Alex J. Avriette" <alex@posixnap.net> writes:
> On Sun, Feb 08, 2004 at 01:33:31PM -0500, Tom Lane wrote:
>> Actually, the extended-query message in the new FE/BE protocol works
>> exactly that way.
> (Tom is referring to this:
> http://archives.postgresql.org/pgsql-interfaces/2003-03/msg00017.php)
That's not a particularly helpful link, since it predates the whole
concept of the extended query protocol. See
http://www.postgresql.org/docs/7.4/static/protocol.html#PROTOCOL-QUERY-CONCEPTS
http://www.postgresql.org/docs/7.4/static/protocol-flow.html#AEN52626
particularly the NOTE in the latter section.
> How would you suggest implementing this? Having a "no subqueries" setting?
The app programmer could choose to use only extended queries and not
simple Query messages. (If using libpq, this means only PQexecParams
and never PQexec.)
> I agree with this as well. In my original message, I complained that there
> was no documentation at all. Since we offer documentation on how to code
> in plpgsql, pltcl, plperl, etc., it might be nice to include something.
> Even if it were something brief, such as suggesting escaped quotes and
> other suspicious characters, it would be better than the nothing that is
> there presently.
Is this "nothing"?
http://www.postgresql.org/docs/7.4/static/libpq-exec.html#LIBPQ-EXEC-ESCAPE-STRING
I don't think the docs are nearly as bereft of security-related items as
you claim. They may be scattered and poorly indexed, but they're there.
regards, tom lane
