Quick Links

Re: ToDo: support for parameters in EXECUTE statement

From:	Heikki Linnakangas <heikki(dot)linnakangas(at)enterprisedb(dot)com>
To:	Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com>
Cc:	PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject:	Re: ToDo: support for parameters in EXECUTE statement
Date:	2011-01-19 10:59:13
Message-ID:	4D36C401.8060007@enterprisedb.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

On 19.01.2011 12:53, Pavel Stehule wrote:
> The EXECUTE statement doesn't support a parametrization via
> SPI_execute_with_args call and PQexecParams too. It can be a security
> issue. If somebody use a prepared statement as protection to sql
> injection, then all security goes out, because he has to call EXECUTE
> without parametrization.

Why don't you use SPI_prepare and SPI_open_query ?

--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com

In response to

ToDo: support for parameters in EXECUTE statement at 2011-01-19 10:53:23 from Pavel Stehule

Responses

Re: ToDo: support for parameters in EXECUTE statement at 2011-01-19 11:54:09 from Pavel Stehule

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Pavel Stehule	2011-01-19 11:54:09	Re: ToDo: support for parameters in EXECUTE statement
Previous Message	Hitoshi Harada	2011-01-19 10:56:29	Re: pl/python refactoring