| From: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
|---|---|
| To: | Alvaro Herrera <alvherre(at)2ndquadrant(dot)com> |
| Cc: | Andy Colson <andy(at)squeakycode(dot)net>, "pgsql-general(at)postgresql(dot)org" <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: How does one make the following psql statement sql-injection resilient? |
| Date: | 2015-03-19 19:36:25 |
| Message-ID: | CAKFQuwZSTGUqg6pG1QaE_YVwCaneHYRpMd2FJmwmY5Wbb3OT0A@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Mon, Mar 16, 2015 at 9:31 PM, David G. Johnston <
david(dot)g(dot)johnston(at)gmail(dot)com> wrote:
> On Monday, March 16, 2015, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>
> wrote:
>
>> David G. Johnston wrote:
>>
>> > Thanks! I got the gist even with the typo. I actually pondered about
>> > prepare/execute after hitting send. Am I correct in remembering that
>> > "CREATE TEMP TABLE" cannot be prepared? I was using the actual query
>> with
>> > CREATE TEMP TABLE and then issuing "\copy" to dump the result out to the
>> > file. The limitation of copy to having to be written on a single line
>> > makes the intermediary temporary table seem almost a necessity.
>>
>> CREATE TEMP TABLE AS EXECUTE
>>
>>
> Thanks.
>
> Though unless I need to work on the temp table I think:
>
> PREPARE ...;
> \copy (EXECUTE ...) TO '~/temp.csv' ...;
>
> Gives the best of all worlds.
>
>
Except that server "COPY" only is documented to accept a "query" that
begins with either SELECT or VALUES :(
I hereby voice my desire for EXECUTE to be usable as well.
David J.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alvaro Herrera | 2015-03-19 19:43:27 | Re: How does one make the following psql statement sql-injection resilient? |
| Previous Message | Peter Geoghegan | 2015-03-19 18:54:32 | Re: Unicode license compatibility with PostgreSQL license |