Re: Protection from SQL injection

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: "Gurjeet Singh" <singh(dot)gurjeet(at)gmail(dot)com>
Cc: "Thomas Mueller" <thomas(dot)tom(dot)mueller(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Protection from SQL injection
Date: 2008-04-30 17:28:19
Message-ID: 20390.1209576499@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

"Gurjeet Singh" <singh(dot)gurjeet(at)gmail(dot)com> writes:
> Maybe we can extend the SQL's WITH clause do declare the constant along with
> the query, and not separate from the query.

> WITH CONSTANT c_jobrole = 'clerk', CONSTANT c_dept = 10
> SELECT * FROM emp WHERE jobrole = c_jobrole and deptno = c_dept;

[ scratches head... ] And that will provide SQL injection protection how?

Anyway, you hardly need new syntax to do that, I'd expect

WITH SELECT 'clerk' AS c_jobrole ...

to accomplish it just fine.

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Gurjeet Singh 2008-04-30 17:37:55 Re: Protection from SQL injection
Previous Message Gurjeet Singh 2008-04-30 17:11:08 Re: Protection from SQL injection