On Tue, 2012-05-29 at 18:32 -0400, Alan Gutierrez wrote: > Surprised that this works: > > echo ":foo" | psql --variable foo="SELECT 1 AS FOO;" template1 > > Why doesn't `psql` escape parameters passed in through `--variable`. When I > use > a library in other languages, they will escape the variable. > > How do I use `psql` from `bash` so that it will escape variables and thwart > SQL > injection?
http://www.postgresql.org/docs/9.1/static/app-psql.html#APP-PSQL-VARIABLES In particular, look at the section on SQL Interpolation. Hopefully that answers your question. Regards, Jeff Davis -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
