How does one make the following psql statement sql-injection resilient? - Mailing list pgsql-general

From David G. Johnston
Subject How does one make the following psql statement sql-injection resilient?
Date
Msg-id CAKFQuwbxvjF4+Ey5iFK6FdtoU8Z-7o+BmcxgcvB323W_Ev8SBA@mail.gmail.com
Whole thread Raw
Responses Re: How does one make the following psql statement sql-injection resilient?
List pgsql-general
psql "$SERVICE" \
     --echo-queries \
     --set=string_input="${1:-ok_to_return}" \
     --set=start="${2:-5}" \
     --set=end="${3:-10}" \
<<'SQL'
    SELECT idx
        FROM generate_series(1, 20) gs (idx)
        WHERE 'short-circuit' != :'string_input'
        AND idx BETWEEN :start AND :end;
SQL

# (6 rows)

--set=end="${3:-10 AND false}"

# (0 rows)

Am I forced to represent the input as text (using :'end') and then perform a conversion to integer?

Thanks!

David J.

pgsql-general by date:

Previous
From: Tom Lane
Date:
Subject: Re: Slow query with join
Next
From: Andy Colson
Date:
Subject: Re: How does one make the following psql statement sql-injection resilient?