Home > mailing lists

Re: ToDo: support for parameters in EXECUTE statement - Mailing list pgsql-hackers

From	Pavel Stehule
Subject	Re: ToDo: support for parameters in EXECUTE statement
Date	January 19, 2011 10:54:58
Msg-id	AANLkTinPfJow3JqZZgpqS_2j9bbkUc7Dtm=GyAJ1tnMh@mail.gmail.com Whole thread Raw
In response to	Re: ToDo: support for parameters in EXECUTE statement (Heikki Linnakangas <heikki.linnakangas@enterprisedb.com>)
List	pgsql-hackers

Tree view

2011/1/19 Heikki Linnakangas <heikki.linnakangas@enterprisedb.com>:
> On 19.01.2011 12:53, Pavel Stehule wrote:
>>
>> The EXECUTE statement doesn't support a parametrization via
>> SPI_execute_with_args call and PQexecParams too. It can be a security
>> issue. If somebody use a prepared statement as protection to sql
>> injection, then all security goes out, because he has to call EXECUTE
>> without parametrization.
>
> Why don't you use SPI_prepare and SPI_open_query ?

I have to execute a session's prepared statement - created with
PREPARE statement.

Pavel



>
> --
>  Heikki Linnakangas
>  EnterpriseDB   http://www.enterprisedb.com
>

pgsql-hackers by date:

From: Heikki Linnakangas
Date: 19 January 2011, 09:59:29
Subject: Re: ToDo: support for parameters in EXECUTE statement

From: Simon Riggs
Date: 19 January 2011, 11:36:20
Subject: Re: [COMMITTERS] pgsql: Log replication connections only when log_connections is on

Re: ToDo: support for parameters in EXECUTE statement - Mailing list pgsql-hackers

Previous

Next