Postgres Pro
Downloads
Home   >   mailing lists

Re: How does one make the following psql statement sql-injection resilient? - Mailing list pgsql-general

From David G. Johnston
Subject Re: How does one make the following psql statement sql-injection resilient?
Date
Msg-id CAKFQuwZSTGUqg6pG1QaE_YVwCaneHYRpMd2FJmwmY5Wbb3OT0A@mail.gmail.com
Whole thread Raw
In response to Re: How does one make the following psql statement sql-injection resilient?  ("David G. Johnston" <david.g.johnston@gmail.com>)
Responses Re: How does one make the following psql statement sql-injection resilient?  (Alvaro Herrera <alvherre@2ndquadrant.com>)
List pgsql-general
Tree view
On Mon, Mar 16, 2015 at 9:31 PM, David G. Johnston <david.g.johnston@gmail.com> wrote:
On Monday, March 16, 2015, Alvaro Herrera <alvherre@2ndquadrant.com> wrote:
David G. Johnston wrote:

> Thanks!  I got the gist even with the typo.  I actually pondered about
> prepare/execute after hitting send.  Am I correct in remembering that
> "CREATE TEMP TABLE" cannot be prepared?  I was using the actual query with
> CREATE TEMP TABLE and then issuing "\copy" to dump the result out to the
> file.  The limitation of copy to having to be written on a single line
> makes the intermediary temporary table seem almost a necessity.

CREATE TEMP TABLE AS EXECUTE


Thanks.

Though unless I need to work on the temp table I think:

PREPARE ...;
\copy (EXECUTE ...) TO '~/temp.csv' ...;

Gives the best of all worlds.


​Except that server "COPY" only is documented to accept a "query" that begins with either SELECT or VALUES :(

I hereby voice my desire for EXECUTE to be usable as well.

David J.​

pgsql-general by date:

Previous
From: Peter Geoghegan
Date:
Subject: Re: Unicode license compatibility with PostgreSQL license
Next
From: Alvaro Herrera
Date:
Subject: Re: How does one make the following psql statement sql-injection resilient?