Skip site navigation (1) Skip section navigation (2)

Re: No parameters support in "create user"?

From: Shachar Shemesh <psql(at)shemesh(dot)biz>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: No parameters support in "create user"?
Date: 2004-09-20 16:59:41
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-hackers
Tom Lane wrote:

>Parameters are only supported in plannable statements
>(SELECT/INSERT/UPDATE/DELETE; I think there is some hack for DECLARE
>CURSOR these days too).
That's a shame.

Aside from executing prepared statements, parameters are also useful for 
preventing SQL injections. Under those cases, they are useful for all 
commands, not only those that can be prepared.

Oh well. I'm not sure whether that's extremely clever or downright 
insane, but I'm solving this problem by calling "Select 
quote_literal($1)" and "select quote_id($1)", and then using the results.


Shachar Shemesh
Lingnu Open Source Consulting ltd.

In response to


pgsql-hackers by date

Next:From: Tom LaneDate: 2004-09-20 17:05:40
Subject: Re: libpq and prepared statements progress for 8.0
Previous:From: Andrew DunstanDate: 2004-09-20 16:54:33
Subject: Re: Export/Import existing database from Unix to Windows

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group