| From: | Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> |
|---|---|
| To: | Heikki Linnakangas <heikki(dot)linnakangas(at)enterprisedb(dot)com> |
| Cc: | PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: ToDo: support for parameters in EXECUTE statement |
| Date: | 2011-01-19 11:54:09 |
| Message-ID: | AANLkTinPfJow3JqZZgpqS_2j9bbkUc7Dtm=GyAJ1tnMh@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
2011/1/19 Heikki Linnakangas <heikki(dot)linnakangas(at)enterprisedb(dot)com>:
> On 19.01.2011 12:53, Pavel Stehule wrote:
>>
>> The EXECUTE statement doesn't support a parametrization via
>> SPI_execute_with_args call and PQexecParams too. It can be a security
>> issue. If somebody use a prepared statement as protection to sql
>> injection, then all security goes out, because he has to call EXECUTE
>> without parametrization.
>
> Why don't you use SPI_prepare and SPI_open_query ?
I have to execute a session's prepared statement - created with
PREPARE statement.
Pavel
>
> --
> Heikki Linnakangas
> EnterpriseDB http://www.enterprisedb.com
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Simon Riggs | 2011-01-19 12:36:05 | Re: [COMMITTERS] pgsql: Log replication connections only when log_connections is on |
| Previous Message | Heikki Linnakangas | 2011-01-19 10:59:13 | Re: ToDo: support for parameters in EXECUTE statement |