Re: [GENERAL] How does one make the following psql statement sql-injection resilient?

On Mon, Mar 16, 2015 at 9:31 PM, David G. Johnston david.g.johns...@gmail.com wrote: On Monday, March 16, 2015, Alvaro Herrera alvhe...@2ndquadrant.com wrote: David G. Johnston wrote: Thanks! I got the gist even with the typo. I actually pondered about prepare/execute after hitting

Re: [GENERAL] How does one make the following psql statement sql-injection resilient?

On Thu, Mar 19, 2015 at 12:43 PM, Alvaro Herrera alvhe...@2ndquadrant.com wrote: David G. Johnston wrote: Except that server COPY only is documented to accept a query that begins with either SELECT or VALUES :( I hereby voice my desire for EXECUTE to be usable as well. Feel free to

Re: [GENERAL] How does one make the following psql statement sql-injection resilient?

On Thu, Mar 19, 2015 at 12:46 PM, David G. Johnston david.g.johns...@gmail.com wrote: On Thu, Mar 19, 2015 at 12:43 PM, Alvaro Herrera alvhe...@2ndquadrant.com wrote: David G. Johnston wrote: Except that server COPY only is documented to accept a query that begins with either SELECT or

[GENERAL] How does one make the following psql statement sql-injection resilient?

psql $SERVICE \ --echo-queries \ --set=string_input=${1:-ok_to_return} \ --set=start=${2:-5} \ --set=end=${3:-10} \ 'SQL' SELECT idx FROM generate_series(1, 20) gs (idx) WHERE 'short-circuit' != :'string_input' AND idx BETWEEN :start AND :end; SQL #

Re: [GENERAL] How does one make the following psql statement sql-injection resilient?

David G. Johnston wrote: Thanks! I got the gist even with the typo. I actually pondered about prepare/execute after hitting send. Am I correct in remembering that CREATE TEMP TABLE cannot be prepared? I was using the actual query with CREATE TEMP TABLE and then issuing \copy to dump the

Re: [GENERAL] How does one make the following psql statement sql-injection resilient?

On Monday, March 16, 2015, Alvaro Herrera alvhe...@2ndquadrant.com wrote: David G. Johnston wrote: Thanks! I got the gist even with the typo. I actually pondered about prepare/execute after hitting send. Am I correct in remembering that CREATE TEMP TABLE cannot be prepared? I was

Re: [GENERAL] How does one make the following psql statement sql-injection resilient?

On 3/16/2015 4:30 PM, David G. Johnston wrote: psql $SERVICE \ --echo-queries \ --set=string_input=${1:-ok_to_return} \ --set=start=${2:-5} \ --set=end=${3:-10} \ 'SQL' SELECT idx FROM generate_series(1, 20) gs (idx) WHERE 'short-circuit' !=

Re: [GENERAL] How does one make the following psql statement sql-injection resilient?

On 3/16/2015 4:45 PM, Andy Colson wrote: On 3/16/2015 4:30 PM, David G. Johnston wrote: psql $SERVICE \ --echo-queries \ --set=string_input=${1:-ok_to_return} \ --set=start=${2:-5} \ --set=end=${3:-10} \ 'SQL' SELECT idx FROM generate_series(1, 20) gs (idx)

Re: [GENERAL] How does one make the following psql statement sql-injection resilient?

On Mon, Mar 16, 2015 at 2:51 PM, Andy Colson a...@squeakycode.net wrote: On 3/16/2015 4:45 PM, Andy Colson wrote: On 3/16/2015 4:30 PM, David G. Johnston wrote: psql $SERVICE \ --echo-queries \ --set=string_input=${1:-ok_to_return} \ --set=start=${2:-5} \