Quick Links

ToDo: support for parameters in EXECUTE statement

From:	Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com>
To:	PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject:	ToDo: support for parameters in EXECUTE statement
Date:	2011-01-19 10:53:23
Message-ID:	AANLkTimVb2yOUse0kcGz7GM69tETY7px7K7L3+swDOzP@mail.gmail.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

Hello

The EXECUTE statement doesn't support a parametrization via
SPI_execute_with_args call and PQexecParams too. It can be a security
issue. If somebody use a prepared statement as protection to sql
injection, then all security goes out, because he has to call EXECUTE
without parametrization.

Regards

Pavel Stehule

Responses

Re: ToDo: support for parameters in EXECUTE statement at 2011-01-19 10:59:13 from Heikki Linnakangas

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Hitoshi Harada	2011-01-19 10:56:29	Re: pl/python refactoring
Previous Message	Simon Riggs	2011-01-19 10:22:00	Re: Replication logging