Quick Links

Re: Avoiding SQL injection in Dynamic Queries (in plpgsql)

From:	Allan Kamau <kamauallan(at)gmail(dot)com>
To:	Postgres General Postgres General <pgsql-general(at)postgresql(dot)org>
Subject:	Re: Avoiding SQL injection in Dynamic Queries (in plpgsql)
Date:	2010-03-17 09:06:03
Message-ID:	ab1ea6541003170206q63679f41g1d2340ea2e1e480d@mail.gmail.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-general

On Wed, Mar 17, 2010 at 11:41 AM, Craig Ringer
<craig(at)postnewspapers(dot)com(dot)au> wrote:
> Allan Kamau wrote:
>> When writing dynamic commands (those having "EXECUTE 'some SQL
>> query';), is there a way to prevent interpretation of input parameters
>> as pieces of SQL commands?
>
> EXECUTE ... USING
>
> --
> Craig Ringer
>

Thanks Craig, EXECUTE .. USING is what I had overlooked all this time.

In response to

Re: Avoiding SQL injection in Dynamic Queries (in plpgsql) at 2010-03-17 08:41:15 from Craig Ringer

Browse pgsql-general by date

	From	Date	Subject
Next Message	Herouth Maoz	2010-03-17 10:32:21	Re: stopping processes, preventing connections
Previous Message	Cesar Martin	2010-03-17 08:54:44	Re: recuperar nodo en estado 3