From: | Kaleb Akalework <kaleb(dot)akalework(at)asg(dot)com> |
---|---|
To: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
Cc: | "pgsql-bugs(at)lists(dot)postgresql(dot)org" <pgsql-bugs(at)lists(dot)postgresql(dot)org> |
Subject: | RE: BUG #15632: Correctly escaped strings are mishandled in function |
Date: | 2019-02-11 18:47:45 |
Message-ID: | 9a50071e113043ecb543f0edac270d23@asg.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
To be clear what I want is to send in 'SOLD''' in the function so in the query it can be used as is to store the final string as SOLD'. IF I use the functions you mention it will just "" or add more quotes. Which is not what I want.
-----Original Message-----
From: David G. Johnston <david(dot)g(dot)johnston(at)gmail(dot)com>
Sent: Monday, February 11, 2019 1:28 PM
To: Kaleb Akalework <kaleb(dot)akalework(at)asg(dot)com>
Cc: pgsql-bugs(at)lists(dot)postgresql(dot)org
Subject: Re: BUG #15632: Correctly escaped strings are mishandled in function
*** External email: Verify sender before opening attachments or links ***
On Mon, Feb 11, 2019 at 11:22 AM Kaleb Akalework <kaleb(dot)akalework(at)asg(dot)com> wrote:
> v_sql := ' WITH upd AS ( ';
> v_sql := v_sql || ' UPDATE ' || v_tpc_db_table || ' ';
> v_sql := v_sql || ' SET topic_value = ' || v_replace_str || ' ';
> v_sql := v_sql || ' WHERE topic_value = ''' || p_old_value || ''' ';
> v_sql := v_sql || ' RETURNING 1 ) ';
> v_sql := v_sql || ' SELECT COUNT(*) FROM upd ';
PostgreSQL provides two features to avoid writing SQL-injection prone code like this. Use one of them.
quote_literal() and related functions
The format() function and its %L and related specifiers.
You can also place "$n" placeholders into the dynamic command as pass literals in via EXECUTE USING.
Or some combination of the above.
This is all nicely covered in the documentation for pl/pgsql regarding executing dynamic commands.
David J.
From | Date | Subject | |
---|---|---|---|
Next Message | David G. Johnston | 2019-02-11 19:03:58 | Re: BUG #15632: Correctly escaped strings are mishandled in function |
Previous Message | Kaleb Akalework | 2019-02-11 18:32:43 | RE: BUG #15632: Correctly escaped strings are mishandled in function |