| From: | "Igor Neyman" <ineyman(at)perceptron(dot)com> |
|---|---|
| To: | "Asko Oja" <ascoja(at)gmail(dot)com> |
| Cc: | "Tatarnikov Alexander" <cankrus(at)gmail(dot)com>, <pgsql-sql(at)postgresql(dot)org> |
| Subject: | Re: Use "CREATE USER" in plpgsql function - Found word(s) list error in the Text body |
| Date: | 2010-09-15 19:06:34 |
| Message-ID: | F4C27E77F7A33E4CA98C19A9DC6722A206827E25@EXCHANGE.corp.perceptron.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-sql |
> -----Original Message-----
> From: Asko Oja [mailto:ascoja(at)gmail(dot)com]
> Sent: Wednesday, September 15, 2010 2:29 PM
> To: Igor Neyman
> Cc: Tatarnikov Alexander; pgsql-sql(at)postgresql(dot)org
> Subject: Re: [SQL] Use "CREATE USER" in plpgsql function -
> Found word(s) list error in the Text body
>
> And dynamic SQL leads easily to SQL injection so quoting is
> required there.
>
> execute 'create user ' || quote_ident(i_username) ||
> ' password ' || quote_literal(i_password);
>
>
> On Wed, Sep 15, 2010 at 5:26 PM, Igor Neyman
> <ineyman(at)perceptron(dot)com> wrote:
>
That's too "generic".
I was answering specific question.
Now, yes, dynamic sql could be used for SQL injection, if not used
carefully.
But, it exists for a reason.
And in this particular case userName and userPassword retrieved from a
table.
So, care should be taken (appropriate checks to be done) when these
values inserted into the table.
Btw., do you have another answer to OP question?
Regards,
Igor Neyman
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Igor Neyman | 2010-09-15 19:08:06 | Re: Use "CREATE USER" in plpgsql function - Found word(s) list error in the Text body |
| Previous Message | Asko Oja | 2010-09-15 18:28:40 | Re: Use "CREATE USER" in plpgsql function |