2011/1/19 Heikki Linnakangas <heikki.linnakangas@enterprisedb.com>:
> On 19.01.2011 12:53, Pavel Stehule wrote:
>>
>> The EXECUTE statement doesn't support a parametrization via
>> SPI_execute_with_args call and PQexecParams too. It can be a security
>> issue. If somebody use a prepared statement as protection to sql
>> injection, then all security goes out, because he has to call EXECUTE
>> without parametrization.
>
> Why don't you use SPI_prepare and SPI_open_query ?
I have to execute a session's prepared statement - created with
PREPARE statement.
Pavel
>
> --
> Heikki Linnakangas
> EnterpriseDB http://www.enterprisedb.com
>