> -----Original Message----- > From: Asko Oja [mailto:asc...@gmail.com] > Sent: Wednesday, September 15, 2010 2:29 PM > To: Igor Neyman > Cc: Tatarnikov Alexander; pgsql-sql@postgresql.org > Subject: Re: [SQL] Use "CREATE USER" in plpgsql function - > Found word(s) list error in the Text body > > And dynamic SQL leads easily to SQL injection so quoting is > required there. > > execute 'create user ' || quote_ident(i_username) || > ' password ' || quote_literal(i_password); > > > On Wed, Sep 15, 2010 at 5:26 PM, Igor Neyman > <iney...@perceptron.com> wrote: >
That's too "generic". I was answering specific question. Now, yes, dynamic sql could be used for SQL injection, if not used carefully. But, it exists for a reason. And in this particular case userName and userPassword retrieved from a table. So, care should be taken (appropriate checks to be done) when these values inserted into the table. Btw., do you have another answer to OP question? Regards, Igor Neyman -- Sent via pgsql-sql mailing list (pgsql-sql@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-sql
