From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | "Merlin Moncure" <mmoncure(at)gmail(dot)com> |
Cc: | "Karen Hill" <karen_hill22(at)yahoo(dot)com>, pgsql-general(at)postgresql(dot)org |
Subject: | Re: Preventing SQL Injection in PL/pgSQL in psql |
Date: | 2006-05-10 04:37:19 |
Message-ID: | 26269.1147235839@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
"Merlin Moncure" <mmoncure(at)gmail(dot)com> writes:
> On 9 May 2006 17:04:31 -0700, Karen Hill <karen_hill22(at)yahoo(dot)com> wrote:
>> Is my understanding correct that the following is vulnerable to SQL
>> injection in psql:
> ...
> no, IMO this is the safest and best option.
Neither of the options that Karen shows are dangerous. What would be
dangerous is building a SQL command string and feeding it to EXECUTE
*without* using quote_literal.
I agree with Merlin that you shouldn't use EXECUTE unless you have to
--- it's both much slower than a precompiled statement, and much more
vulnerable to security mistakes.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Greg Stark | 2006-05-10 04:41:20 | Re: Arguments Pro/Contra Software Raid |
Previous Message | John DeSoi | 2006-05-10 04:29:07 | Re: What's wrong with this SQL? |