> -----Original Message-----
> From: Asko Oja [mailto:ascoja@gmail.com]
> Sent: Wednesday, September 15, 2010 2:29 PM
> To: Igor Neyman
> Cc: Tatarnikov Alexander; pgsql-sql@postgresql.org
> Subject: Re: [SQL] Use "CREATE USER" in plpgsql function -
> Found word(s) list error in the Text body
>
> And dynamic SQL leads easily to SQL injection so quoting is
> required there.
>
> execute 'create user ' || quote_ident(i_username) ||
> ' password ' || quote_literal(i_password);
>
>
> On Wed, Sep 15, 2010 at 5:26 PM, Igor Neyman
> <ineyman@perceptron.com> wrote:
>
That's too "generic".
I was answering specific question.
Now, yes, dynamic sql could be used for SQL injection, if not used
carefully.
But, it exists for a reason.
And in this particular case userName and userPassword retrieved from a
table.
So, care should be taken (appropriate checks to be done) when these
values inserted into the table.
Btw., do you have another answer to OP question?
Regards,
Igor Neyman
