Thread: BUG #13753: Docs for plpy.execute() miss info about quoting

The following bug has been logged on the website:

Bug reference:      13753
Logged by:          Thomas Güttler
Email address:      guettliml@thomas-guettler.de
PostgreSQL version: 9.4.5
Operating system:   Linux
Description:

This page misses important information:

http://www.postgresql.org/docs/9.4/static/plpython-database.html

How to quote the arguments?

The relevant information is here:
http://www.postgresql.org/docs/9.4/static/plpython-util.html

Please include a link from the execute() docs to the quoting docs.

I was trapped by a bug made by a team mate who did no quoting.

Not quoting the values of a SQL query can lead to SQL injects which are a
big security concern.

Please add a note to the docs.

Thank you.

guettliml@thomas-guettler.de writes:
> This page misses important information:
> http://www.postgresql.org/docs/9.4/static/plpython-database.html
> How to quote the arguments?

AFAICS, none of the examples shown there require quoting of arguments,
so the issue doesn't really come up naturally.

> The relevant information is here:
> http://www.postgresql.org/docs/9.4/static/plpython-util.html
> Please include a link from the execute() docs to the quoting docs.

We cannot put everything on one page; that will not make it more
readable or understandable.

            regards, tom lane