Home > mailing lists

Re: BUG #15794: Defects regarding stored procedure parameters - Mailing list pgsql-bugs

From	David G. Johnston
Subject	Re: BUG #15794: Defects regarding stored procedure parameters
Date	May 7, 2019 22:14:59
Msg-id	CAKFQuwbzOdxFDN80aXRaw26jgyb8W0MY6i_pwz1SuiPQFq-T=Q@mail.gmail.com Whole thread Raw
In response to	BUG #15794: Defects regarding stored procedure parameters (PG Bug reporting form <noreply@postgresql.org>)
List	pgsql-bugs

Tree view

On Tue, May 7, 2019 at 1:47 AM PG Bug reporting form <noreply@postgresql.org> wrote:

The following bug has been logged on the website:

Bug reference: 15794

Not a bug.

When the parameter name of the stored procedure is the same as the table
field name of the update statement, a problem is caused: "field association
is ambiguous."

https://www.postgresql.org/docs/11/plpgsql-structure.html

See in particular the note. But usually parameters names are constructed uniquely in order to simply avoid this issue.

(this function also have a problem, PostgreSQL after 9, SQL string escape is
cumbersome)

Then don't use string escaping to build dynamic SQL, use the recommended format() function.

https://www.postgresql.org/docs/11/plpgsql-statements.html#PLPGSQL-STATEMENTS-EXECUTING-DYN

v_sql := 'UPDATE public.student SET name = ' || E'\'' ||
update_student.name || E'\'' ||
' WHERE id = ' || E'\'' || id || E'\'' || ';';
EXECUTE v_sql;

I don't even want to try and understand or explain how broken the above might be...but I doubt it does what you think plus its vulnerable to SQL injection.

David J.

pgsql-bugs by date:

From: James Tomson
Date: 07 May 2019, 19:22:39
Subject: Re: invalid memory alloc request size from pg_stat_activity?

From: Thomas Munro
Date: 08 May 2019, 03:17:42
Subject: Re: BUG #15793: Required Community Version Installs not thecustomized EnterpriseDB one.

Re: BUG #15794: Defects regarding stored procedure parameters - Mailing list pgsql-bugs

Previous

Next