From: | Agent M <agentm(at)themactionfaction(dot)com> |
---|---|
To: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | binds only for s,u,i,d? |
Date: | 2006-07-04 03:28:36 |
Message-ID: | ea308f57eedbeb2bb52cc60d97a7c558@themactionfaction.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Why are only select, insert, update, and delete supported for $X binds?
Why can't preparation be used as a global anti-injection facility?
Example using the backend protocol for binds:
PREPARE TRANSACTION $1;
bind $1 ['text']
-->syntax error at $1
Why am I able to prepare statements with the backend protocol that I
can't prepare with PREPARE:
agentm=# prepare gonk as prepare transaction $1;
ERROR: syntax error at or near "prepare" at character 17
LINE 1: prepare gonk as prepare transaction $1;
whereas the backend protocol only emits an error when the statement is
executed [and the binds are ignored].
-M
¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬
AgentM
agentm(at)themactionfaction(dot)com
¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬
From | Date | Subject | |
---|---|---|---|
Next Message | Neil Conway | 2006-07-04 04:52:35 | system info functions |
Previous Message | Greg Stark | 2006-07-04 01:22:52 | Re: Transaction and table partitioning |