BUG #13753: Docs for plpy.execute() miss info about quoting
The following bug has been logged on the website:
Bug reference: 13753
Logged by: Thomas Güttler
Email address: guettliml@thomas-guettler.de
PostgreSQL version: 9.4.5
Operating system: Linux
Description:
This page misses important information:
http://www.postgresql.org/docs/9.4/static/plpython-database.html
How to quote the arguments?
The relevant information is here:
http://www.postgresql.org/docs/9.4/static/plpython-util.html
Please include a link from the execute() docs to the quoting docs.
I was trapped by a bug made by a team mate who did no quoting.
Not quoting the values of a SQL query can lead to SQL injects which are a
big security concern.
Please add a note to the docs.
Thank you.
--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs
guettliml@thomas-guettler.de writes:
This page misses important information:
http://www.postgresql.org/docs/9.4/static/plpython-database.html
How to quote the arguments?
AFAICS, none of the examples shown there require quoting of arguments,
so the issue doesn't really come up naturally.
The relevant information is here:
http://www.postgresql.org/docs/9.4/static/plpython-util.html
Please include a link from the execute() docs to the quoting docs.
We cannot put everything on one page; that will not make it more
readable or understandable.
regards, tom lane
--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs