| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Merlin Moncure" <mmoncure(at)gmail(dot)com> |
| Cc: | "Karen Hill" <karen_hill22(at)yahoo(dot)com>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Preventing SQL Injection in PL/pgSQL in psql |
| Date: | 2006-05-10 04:37:19 |
| Message-ID: | 26269.1147235839@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
"Merlin Moncure" <mmoncure(at)gmail(dot)com> writes:
> On 9 May 2006 17:04:31 -0700, Karen Hill <karen_hill22(at)yahoo(dot)com> wrote:
>> Is my understanding correct that the following is vulnerable to SQL
>> injection in psql:
> ...
> no, IMO this is the safest and best option.
Neither of the options that Karen shows are dangerous. What would be
dangerous is building a SQL command string and feeding it to EXECUTE
*without* using quote_literal.
I agree with Merlin that you shouldn't use EXECUTE unless you have to
--- it's both much slower than a precompiled statement, and much more
vulnerable to security mistakes.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Greg Stark | 2006-05-10 04:41:20 | Re: Arguments Pro/Contra Software Raid |
| Previous Message | John DeSoi | 2006-05-10 04:29:07 | Re: What's wrong with this SQL? |