Is my understanding correct that the following is vulnerable to SQL
injection in psql:
CREATE OR REPLACE FUNCTION fx ( my_var bchar)
RETURNS void AS
$$
BEGIN
INSERT INTO fx VALUES ( my_var ) ;
END;
$$
LANGUAGE 'plpgsql' VOLATILE
Where this is NOT subject to SQL injection:
CREATE OR REPLACE FUNCTION fx ( my_var bpchar)
RETURNS void AS
$$
BEGIN
EXECUTE ' INSERT INTO fx VALUES ( ' || quote_literal( my_var) || ' ); '
END;
$$ LANGUAGE 'plpgsql' VOLATILE
Is this understanding correct?
---------------------------(end of broadcast)---------------------------
TIP 4: Have you searched our list archives?
http://archives.postgresql.org
