"Alex J. Avriette" <[EMAIL PROTECTED]> writes: > On Sun, Feb 08, 2004 at 01:33:31PM -0500, Tom Lane wrote: >> Actually, the extended-query message in the new FE/BE protocol works >> exactly that way.
> (Tom is referring to this: > http://archives.postgresql.org/pgsql-interfaces/2003-03/msg00017.php) That's not a particularly helpful link, since it predates the whole concept of the extended query protocol. See http://www.postgresql.org/docs/7.4/static/protocol.html#PROTOCOL-QUERY-CONCEPTS http://www.postgresql.org/docs/7.4/static/protocol-flow.html#AEN52626 particularly the NOTE in the latter section. > How would you suggest implementing this? Having a "no subqueries" setting? The app programmer could choose to use only extended queries and not simple Query messages. (If using libpq, this means only PQexecParams and never PQexec.) > I agree with this as well. In my original message, I complained that there > was no documentation at all. Since we offer documentation on how to code > in plpgsql, pltcl, plperl, etc., it might be nice to include something. > Even if it were something brief, such as suggesting escaped quotes and > other suspicious characters, it would be better than the nothing that is > there presently. Is this "nothing"? http://www.postgresql.org/docs/7.4/static/libpq-exec.html#LIBPQ-EXEC-ESCAPE-STRING I don't think the docs are nearly as bereft of security-related items as you claim. They may be scattered and poorly indexed, but they're there. regards, tom lane ---------------------------(end of broadcast)--------------------------- TIP 5: Have you checked our extensive FAQ? http://www.postgresql.org/docs/faqs/FAQ.html