Escaping `psql --variable`

From: Alan Gutierrez <alan(at)prettyrobots(dot)com>
To: pgsql-general(at)postgresql(dot)org
Subject: Escaping `psql --variable`
Date: 2012-05-29 22:32:54
Message-ID: 20120529223254.GB3732@gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Surprised that this works:

echo ":foo" | psql --variable foo="SELECT 1 AS FOO;" template1

Why doesn't `psql` escape parameters passed in through `--variable`. When I use
a library in other languages, they will escape the variable.

How do I use `psql` from `bash` so that it will escape variables and thwart SQL
injection?

--
Alan Gutierrez - @bigeasy

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Tim Uckun 2012-05-29 23:16:26 Updateable Views or Synonyms.
Previous Message Mark Phillips 2012-05-29 21:28:29 full text searching