On Sep 14, 2009, at 12:13 AM, Pavel Stehule wrote:
> 2009/9/13 decibel <decibel@decibel.org>:
>> On Sep 12, 2009, at 5:54 PM, Andrew Dunstan wrote:
>>>
>>> decibel wrote:
>>>>
>>>> Speaking of concatenation...
>>>>
>>>> Something I find sorely missing in plpgsql is the ability to put
>>>> variables inside of a string, ie:
>>>>
>>>> DECLARE
>>>> v_table text := ...
>>>> v_sql text;
>>>> BEGIN
>>>> v_sql := "SELECT * FROM $v_table";
>>>>
>>>> Of course, I'm assuming that if it was easy to do that it would
>>>> be done
>>>> already... but I thought I'd just throw it out there.
>>>>
>>>
>>> Then use a language that supports variable interpolation in
>>> strings, like
>>> plperl, plpythonu, plruby .... instead of plpgsql.
>>
>>
>> Which makes executing SQL much, much harder.
>>
>> At least if we get sprintf dealing with strings might become a bit
>> easier...
>
> This feature is nice - but very dangerous - it the most easy way how
> do vulnerable (on SQL injection) application!
How is it any worse than what people can already do? Anyone who isn't
aware of the dangers of SQL injection has already screwed themselves.
You're basically arguing that they would put a variable inside of
quotes, but they would never use ||.
--
Decibel!, aka Jim C. Nasby, Database Architect decibel@decibel.org
Give your computer some brain candy! www.distributed.net Team #1828