Home > mailing lists

ToDo: support for parameters in EXECUTE statement - Mailing list pgsql-hackers

From	Pavel Stehule
Subject	ToDo: support for parameters in EXECUTE statement
Date	January 19, 2011 09:54:11
Msg-id	AANLkTimVb2yOUse0kcGz7GM69tETY7px7K7L3+swDOzP@mail.gmail.com Whole thread Raw
Responses	Re: ToDo: support for parameters in EXECUTE statement (Heikki Linnakangas <heikki.linnakangas@enterprisedb.com>)
List	pgsql-hackers

Tree view

Hello

The EXECUTE statement doesn't support a parametrization via
SPI_execute_with_args call and PQexecParams too. It can be a security
issue. If somebody use a prepared statement as protection to sql
injection, then all security goes out, because he has to call EXECUTE
without parametrization.

Regards

Pavel Stehule

pgsql-hackers by date:

From: Simon Riggs
Date: 19 January 2011, 09:22:16
Subject: Re: Replication logging

From: Hitoshi Harada
Date: 19 January 2011, 09:56:39
Subject: Re: pl/python refactoring

ToDo: support for parameters in EXECUTE statement - Mailing list pgsql-hackers

Previous

Next