| From: | Shachar Shemesh <psql(at)shemesh(dot)biz> |
|---|---|
| To: | Gaetano Mendola <mendola(at)bigfoot(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: No parameters support in "create user"? |
| Date: | 2004-09-21 06:55:25 |
| Message-ID: | 414FD05D.4000505@shemesh.biz |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Gaetano Mendola wrote:
> Shachar Shemesh wrote:
>
>> Tom Lane wrote:
>>
>>> Parameters are only supported in plannable statements
>>> (SELECT/INSERT/UPDATE/DELETE; I think there is some hack for DECLARE
>>> CURSOR these days too).
>>>
>>>
>> That's a shame.
>>
>> Aside from executing prepared statements, parameters are also useful
>> for preventing SQL injections. Under those cases, they are useful for
>> all commands, not only those that can be prepared.
>>
>> Oh well. I'm not sure whether that's extremely clever or downright
>> insane, but I'm solving this problem by calling "Select
>> quote_literal($1)" and "select quote_id($1)", and then using the
>> results.
>
>
> Create your own plpgsql function and call it.
In a way you can say I did `-). This is what I'm using:
http://gborg.postgresql.org/projects/oledb
--
Shachar Shemesh
Lingnu Open Source Consulting ltd.
http://www.lingnu.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dominic Mitchell | 2004-09-21 07:24:52 | SSL Support |
| Previous Message | Peter Eisentraut | 2004-09-21 06:39:22 | Re: CVS configure failure |