Re: Escaping `psql --variable`

From: Jeff Davis <pgsql(at)j-davis(dot)com>
To: Alan Gutierrez <alan(at)prettyrobots(dot)com>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: Escaping `psql --variable`
Date: 2012-05-30 00:19:49
Message-ID: 1338337189.28651.25.camel@sussancws0025
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Tue, 2012-05-29 at 18:32 -0400, Alan Gutierrez wrote:
> Surprised that this works:
>
> echo ":foo" | psql --variable foo="SELECT 1 AS FOO;" template1
>
> Why doesn't `psql` escape parameters passed in through `--variable`. When I use
> a library in other languages, they will escape the variable.
>
> How do I use `psql` from `bash` so that it will escape variables and thwart SQL
> injection?

http://www.postgresql.org/docs/9.1/static/app-psql.html#APP-PSQL-VARIABLES

In particular, look at the section on SQL Interpolation. Hopefully that
answers your question.

Regards,
Jeff Davis

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Craig Ringer 2012-05-30 01:56:56 Re: Export and import from one postgres server to another
Previous Message Jeff Davis 2012-05-30 00:14:32 Re: Updateable Views or Synonyms.