Postgres Pro
Downloads
Home   >   mailing lists

Re: Avoiding SQL injection in Dynamic Queries (in plpgsql) - Mailing list pgsql-general

From Allan Kamau
Subject Re: Avoiding SQL injection in Dynamic Queries (in plpgsql)
Date
Msg-id ab1ea6541003170206q63679f41g1d2340ea2e1e480d@mail.gmail.com
Whole thread Raw
In response to Re: Avoiding SQL injection in Dynamic Queries (in plpgsql)  (Craig Ringer <craig@postnewspapers.com.au>)
List pgsql-general
Tree view 
On Wed, Mar 17, 2010 at 11:41 AM, Craig Ringer
<craig@postnewspapers.com.au> wrote:
> Allan Kamau wrote:
>> When writing dynamic commands (those having "EXECUTE 'some SQL
>> query';), is there a way to prevent interpretation of input parameters
>> as pieces of SQL commands?
>
> EXECUTE ... USING
>
> --
> Craig Ringer
>

Thanks Craig, EXECUTE .. USING is what I had overlooked all this time.

pgsql-general by date:

Previous
From: Craig Ringer
Date:
Subject: Re: Avoiding SQL injection in Dynamic Queries (in plpgsql)
Next
From: Herouth Maoz
Date:
Subject: Re: stopping processes, preventing connections