Quick Links

Preventing SQL Injection in PL/pgSQL in psql

From:	"Karen Hill" <karen_hill22(at)yahoo(dot)com>
To:	pgsql-general(at)postgresql(dot)org
Subject:	Preventing SQL Injection in PL/pgSQL in psql
Date:	2006-05-10 00:04:31
Message-ID:	1147219471.500510.248860@i40g2000cwc.googlegroups.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-general

Is my understanding correct that the following is vulnerable to SQL
injection in psql:

CREATE OR REPLACE FUNCTION fx ( my_var bchar)
RETURNS void AS
$$
BEGIN
INSERT INTO fx VALUES ( my_var ) ;
END;
$$
LANGUAGE 'plpgsql' VOLATILE

Where this is NOT subject to SQL injection:

CREATE OR REPLACE FUNCTION fx ( my_var bpchar)
RETURNS void AS
$$
BEGIN
EXECUTE ' INSERT INTO fx VALUES ( ' || quote_literal( my_var) || ' ); '
END;
$$ LANGUAGE 'plpgsql' VOLATILE

Is this understanding correct?

Responses

Re: Preventing SQL Injection in PL/pgSQL in psql at 2006-05-10 00:27:15 from Merlin Moncure

Browse pgsql-general by date

	From	Date	Subject
Next Message	Merlin Moncure	2006-05-10 00:27:15	Re: Preventing SQL Injection in PL/pgSQL in psql
Previous Message	Ed L.	2006-05-09 23:07:35	Re: InitBufferPoolAccess crash