| From: | Agent M <agentm(at)themactionfaction(dot)com> |
|---|---|
| To: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | binds only for s,u,i,d? |
| Date: | 2006-07-04 03:28:36 |
| Message-ID: | ea308f57eedbeb2bb52cc60d97a7c558@themactionfaction.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Why are only select, insert, update, and delete supported for $X binds?
Why can't preparation be used as a global anti-injection facility?
Example using the backend protocol for binds:
PREPARE TRANSACTION $1;
bind $1 ['text']
-->syntax error at $1
Why am I able to prepare statements with the backend protocol that I
can't prepare with PREPARE:
agentm=# prepare gonk as prepare transaction $1;
ERROR: syntax error at or near "prepare" at character 17
LINE 1: prepare gonk as prepare transaction $1;
whereas the backend protocol only emits an error when the statement is
executed [and the binds are ignored].
-M
¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬
AgentM
agentm(at)themactionfaction(dot)com
¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬ ¬
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Neil Conway | 2006-07-04 04:52:35 | system info functions |
| Previous Message | Greg Stark | 2006-07-04 01:22:52 | Re: Transaction and table partitioning |