| From: | Neil Conway <neilc(at)samurai(dot)com> |
|---|---|
| To: | Agent M <agentm(at)themactionfaction(dot)com> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: binds only for s,u,i,d? |
| Date: | 2006-07-05 21:02:15 |
| Message-ID: | 1152133336.5466.8.camel@localhost |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, 2006-07-05 at 06:55 -0400, Agent M wrote:
> Like you said, it would make sense to have binds anywhere where there
> are quoted strings- if only for anti-injection. There could be a "flat"
> plan which simply did the string substitution with the proper escaping
> at execute time.
I don't see the point of implementing this in the backend. Perhaps what
you're really asking for is basically PQescapeIdentifier()?
> Escaping vulnerabilities would then be taken care of by server updates.
Escaping vulnerabilities are hardly the common case; in any case,
implementing this in libpq would allow a similar upgrade path.
-Neil
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Chris Campbell | 2006-07-06 00:06:12 | Re: lastval exposes information that currval does not |
| Previous Message | Martijn van Oosterhout | 2006-07-05 20:02:30 | Re: Scan Keys |