Thread: Avoiding SQL injection in Dynamic Queries (in plpgsql)
When writing dynamic commands (those having "EXECUTE 'some SQL query';), is there a way to prevent interpretation of input parameters as pieces of SQL commands? Does quote_literal() function implicitly protect against this unwanted behaviour. Allan.
Allan Kamau wrote: > When writing dynamic commands (those having "EXECUTE 'some SQL > query';), is there a way to prevent interpretation of input parameters > as pieces of SQL commands? EXECUTE ... USING -- Craig Ringer
On Wed, Mar 17, 2010 at 11:41 AM, Craig Ringer <craig@postnewspapers.com.au> wrote: > Allan Kamau wrote: >> When writing dynamic commands (those having "EXECUTE 'some SQL >> query';), is there a way to prevent interpretation of input parameters >> as pieces of SQL commands? > > EXECUTE ... USING > > -- > Craig Ringer > Thanks Craig, EXECUTE .. USING is what I had overlooked all this time.
2010/3/17 Allan Kamau <kamauallan@gmail.com>: > When writing dynamic commands (those having "EXECUTE 'some SQL > query';), is there a way to prevent interpretation of input parameters > as pieces of SQL commands? Does quote_literal() function implicitly > protect against this unwanted behaviour. quote_literal, quote_identif are enough, but USING clause is better and faster. Sometimes you have to use a combination: execute 'select foo from ' || tabname::regclass || ' WHERE a = $1' USING value; Pavel > > Allan. > > -- > Sent via pgsql-general mailing list (pgsql-general@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-general >