Re: design, plpgsql and sql injection in dynamically generated sql

On Mon, 17 Aug 2009 12:48:21 +0200
Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> wrote:

> Hello
>
> I am not sure, if it's possible for you. PostgreSQL 8.4 has EXECUTE
> USING clause, it is 100% safe.

Sorry I don't get it.

How can I use USING safely when the substitution involves a table
name?

The examples I've seen just involve column values.

Where is the corresponding fine manual page?

Still I don't get how USING could make safer plpgsql functions...
well... I'm going to check some prejudices I have on pg functions
firts...

I thought that if you passed eg. text to
create or replace function typetest(a int) returns text as
$$
begin
raise notice 'is this an int? %', a;
-- don't do anything else with a

and calling

select * from typetest('tonno');

was going to raise an error anyway.

So somehow I find the example here
http://okbob.blogspot.com/2008/06/execute-using-feature-in-postgresql-84.html
not really helpful in understanding what's going on.

Maybe an example with text comparing a version using quote_literal
and one using USING could be clearer...

or am I completely missing the point?

far from an optimal solution I've built a "client side" array of
permitted table, key to dynamically build the query on the client
side.

--
Ivan Sergio Borgonovo
http://www.webthatworks.it