Re: [GENERAL] Avoiding SQL injection in Dynamic Queries (in plpgsql)

2010/3/17 Allan Kamau : > When writing dynamic commands (those having "EXECUTE 'some SQL > query';), is there a way to prevent interpretation of input parameters > as pieces of SQL commands? Does quote_literal() function implicitly > protect against this unwanted behaviour. quote_literal, quote_id

Re: [GENERAL] Avoiding SQL injection in Dynamic Queries (in plpgsql)

On Wed, Mar 17, 2010 at 11:41 AM, Craig Ringer wrote: > Allan Kamau wrote: >> When writing dynamic commands (those having "EXECUTE 'some SQL >> query';), is there a way to prevent interpretation of input parameters >> as pieces of SQL commands? > > EXECUTE ... USING > > -- > Craig Ringer > Thanks

Re: [GENERAL] Avoiding SQL injection in Dynamic Queries (in plpgsql)

Allan Kamau wrote: > When writing dynamic commands (those having "EXECUTE 'some SQL > query';), is there a way to prevent interpretation of input parameters > as pieces of SQL commands? EXECUTE ... USING -- Craig Ringer -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To m

[GENERAL] Avoiding SQL injection in Dynamic Queries (in plpgsql)

When writing dynamic commands (those having "EXECUTE 'some SQL query';), is there a way to prevent interpretation of input parameters as pieces of SQL commands? Does quote_literal() function implicitly protect against this unwanted behaviour. Allan. -- Sent via pgsql-general mailing list (pgsql-