Skip site navigation (1) Skip section navigation (2)

Re: Protection from SQL injection

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: "Gurjeet Singh" <singh(dot)gurjeet(at)gmail(dot)com>
Cc: "Thomas Mueller" <thomas(dot)tom(dot)mueller(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Protection from SQL injection
Date: 2008-04-30 17:28:19
Message-ID: 20390.1209576499@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-hackers
"Gurjeet Singh" <singh(dot)gurjeet(at)gmail(dot)com> writes:
> Maybe we can extend the SQL's WITH clause do declare the constant along with
> the query, and not separate from the query.

> WITH CONSTANT c_jobrole = 'clerk', CONSTANT c_dept = 10
> SELECT * FROM emp WHERE jobrole = c_jobrole and deptno = c_dept;

[ scratches head... ]  And that will provide SQL injection protection how?

Anyway, you hardly need new syntax to do that, I'd expect

	WITH SELECT 'clerk' AS c_jobrole ...

to accomplish it just fine.

			regards, tom lane

In response to

Responses

pgsql-hackers by date

Next:From: Gurjeet SinghDate: 2008-04-30 17:37:55
Subject: Re: Protection from SQL injection
Previous:From: Gurjeet SinghDate: 2008-04-30 17:11:08
Subject: Re: Protection from SQL injection

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group