On Wed, 2023-06-21 at 11:00 +0200, Dominique Devienne wrote:
> [...] obvious way to know what can and cannot be bound, just from the doc?
This is not adequately documented.
Bummer.
The documentation for PREPARE says:
Note that I'm not even preparing in this case, but using PQexecParams() instead.
So I'm unlikely to look at the PREPARE doc, but the one from the COMMAND
I'm actually using, i.e. NOTIFY in my example.
so NOTIFY is not supported.
Bummer again.
So I must PQescapeIdentifier() and PQescapeLiteral() to have an iron-clad NOTIFY,
as the 2nd pseudo-code above showed then. Thanks for confirming Laurenz.
However, you need some inside knowledge to know
that what you are running is an "unnamed prepared statement" and that the limitation
stated in PREPARE applies.
I don't know what shape or form this could be specified in the doc.
Maybe specific and consistent typography for each "argument" kind,
like names, non-bind-able literals, bind-able literals? Just thinking aloud.
With a link in all commands to a "central" page about SQL Injection and binding and format(), etc... maybe?
I do find it strange, from the user perspective, not to be able to bind the NOTIFY's payload text message.
Or be able to bind the password in a CREATE USER. (Yes, I know about PQencryptPasswordConn()).
I'm sure there are good technical reason. But from the outside, it is surprising and a bit inconsistent.
My $0.02. --DD