Thread: ToDo: support for parameters in EXECUTE statement

ToDo: support for parameters in EXECUTE statement

From

Pavel Stehule

Date:

19 January 2011, 09:54:11

Hello

The EXECUTE statement doesn't support a parametrization via
SPI_execute_with_args call and PQexecParams too. It can be a security
issue. If somebody use a prepared statement as protection to sql
injection, then all security goes out, because he has to call EXECUTE
without parametrization.

Regards

Pavel Stehule

Re: ToDo: support for parameters in EXECUTE statement

From

Heikki Linnakangas

Date:

19 January 2011, 09:59:29

On 19.01.2011 12:53, Pavel Stehule wrote:
> The EXECUTE statement doesn't support a parametrization via
> SPI_execute_with_args call and PQexecParams too. It can be a security
> issue. If somebody use a prepared statement as protection to sql
> injection, then all security goes out, because he has to call EXECUTE
> without parametrization.

Why don't you use SPI_prepare and SPI_open_query ?

--   Heikki Linnakangas  EnterpriseDB   http://www.enterprisedb.com

Re: ToDo: support for parameters in EXECUTE statement

From

Pavel Stehule

Date:

19 January 2011, 10:54:58

2011/1/19 Heikki Linnakangas <heikki.linnakangas@enterprisedb.com>:
> On 19.01.2011 12:53, Pavel Stehule wrote:
>>
>> The EXECUTE statement doesn't support a parametrization via
>> SPI_execute_with_args call and PQexecParams too. It can be a security
>> issue. If somebody use a prepared statement as protection to sql
>> injection, then all security goes out, because he has to call EXECUTE
>> without parametrization.
>
> Why don't you use SPI_prepare and SPI_open_query ?

I have to execute a session's prepared statement - created with
PREPARE statement.

Pavel



>
> --
>  Heikki Linnakangas
>  EnterpriseDB   http://www.enterprisedb.com
>