Re: Sql injection attacks

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Greg Stark <gsstark(at)mit(dot)edu>
Cc: Bill Moran <wmoran(at)potentialtech(dot)com>, pgsql-general(at)postgresql(dot)org
Subject: Re: Sql injection attacks
Date: 2004-07-26 17:48:01
Message-ID: 29958.1090864081@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Greg Stark <gsstark(at)mit(dot)edu> writes:
> Incidentally, you should be able to prepare queries and execute them later
> like the DBI and PHP interfaces, but there's an odd comment in the docs:

> Presently, prepared statements for use with PQexecPrepared must be set up by
> executing an SQL PREPARE command, which is typically sent with PQexec
> (though any of libpq's query-submission functions may be used). A
> lower-level interface for preparing statements may be offered in a future
> release.

> I don't think this is true any more. I think the low level protocol exists
> now. It's possible the libpq method doesn't exist yet though.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

That's what the comment is trying to tell you: libpq does not currently
offer a way to use the V3-protocol Prepare message.

regards, tom lane

In response to

Browse pgsql-general by date

  From Date Subject
Next Message cipriani 2004-07-26 17:58:53 postgresql password from .pgpass
Previous Message David Parker 2004-07-26 17:42:35 7.5 beta?