| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Martijn van Oosterhout <kleptog(at)svana(dot)org> |
| Cc: | deepak <deepak(dot)pn(at)gmail(dot)com>, "pgsql-general(at)postgresql(dot)org" <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Prepared statements with bind parameters for DDL |
| Date: | 2015-02-11 23:47:21 |
| Message-ID: | 25178.1423698441@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Martijn van Oosterhout <kleptog(at)svana(dot)org> writes:
> On Wed, Feb 11, 2015 at 02:22:10PM -0500, Tom Lane wrote:
>> Nope. DDL commands generally don't have any support for evaluating
>> expressions, which would be the context in which parameters would
>> be useful. Nor have they got plans, which would be the requirement
>> for prepared statements to be good for much either.
> Not really true, there are plenty of cases where you just want to fill
> in literals without having to worry about quoting. For example:
> DROP TABLE %s
True, but that is not what Postgres thinks is a parameter; for example
you cannot do "SELECT * FROM %s", nor could you persuade it to interpret a
parameter as a column reference in a SELECT.
> ... is opening yourself up to SQL injection. I've wondered if it were
> possible to be able to say:
> DROP TABLE IDENTIFIER($1);
A meta-function like that would just provide a different route for SQL
injection, I suspect, particularly when attacking applications that
hadn't gotten the memo about "IDENTIFIER()" being magic.
I think there's considerable value in a client-library function for safe
interpolation of this sort, but I doubt that trying to shoehorn it into
the server is the answer.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Gavin Flower | 2015-02-12 01:22:56 | Re: Hardware requirements for a PostGIS server |
| Previous Message | Mathieu Basille | 2015-02-11 23:38:26 | Re: Hardware requirements for a PostGIS server |