ToDo: support for parameters in EXECUTE statement

Started by Pavel Stehulealmost 15 years ago3 messages

pavel.stehule@gmail.com

almost 15 years ago

Hello

The EXECUTE statement doesn't support a parametrization via
SPI_execute_with_args call and PQexecParams too. It can be a security
issue. If somebody use a prepared statement as protection to sql
injection, then all security goes out, because he has to call EXECUTE
without parametrization.

Regards

Pavel Stehule

Heikki Linnakangas

heikki.linnakangas@enterprisedb.com

almost 15 years ago

In reply to: Pavel Stehule (#1)

Re: ToDo: support for parameters in EXECUTE statement

On 19.01.2011 12:53, Pavel Stehule wrote:

The EXECUTE statement doesn't support a parametrization via
SPI_execute_with_args call and PQexecParams too. It can be a security
issue. If somebody use a prepared statement as protection to sql
injection, then all security goes out, because he has to call EXECUTE
without parametrization.

Why don't you use SPI_prepare and SPI_open_query ?

--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com

Pavel Stehule

pavel.stehule@gmail.com

almost 15 years ago

In reply to: Heikki Linnakangas (#2)

Re: ToDo: support for parameters in EXECUTE statement

2011/1/19 Heikki Linnakangas <heikki.linnakangas@enterprisedb.com>:

On 19.01.2011 12:53, Pavel Stehule wrote:

The EXECUTE statement doesn't support a parametrization via
SPI_execute_with_args call and PQexecParams too. It can be a security
issue. If somebody use a prepared statement as protection to sql
injection, then all security goes out, because he has to call EXECUTE
without parametrization.

Why don't you use SPI_prepare and SPI_open_query ?

I have to execute a session's prepared statement - created with
PREPARE statement.

Pavel

Show quoted text

--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com