On Wed, Apr 30, 2008 at 10:58 PM, Tom Lane <[EMAIL PROTECTED]> wrote:
> "Gurjeet Singh" <[EMAIL PROTECTED]> writes: > > Maybe we can extend the SQL's WITH clause do declare the constant along > with > > the query, and not separate from the query. > > > WITH CONSTANT c_jobrole = 'clerk', CONSTANT c_dept = 10 > > SELECT * FROM emp WHERE jobrole = c_jobrole and deptno = c_dept; > > [ scratches head... ] And that will provide SQL injection protection how? Well, if the the query was: WITH CONSTANT c_jobrole = <value from a FORM text field>, CONSTANT c_dept = 10 SELECT * FROM emp WHERE jobrole = c_jobrole and deptno = c_dept; And if the attack supplied a value 'clerk OR 1=1' the final query (after replacing constants) would look like this: SELECT * FROM emp WHERE jobrole = 'clerk OR 1=1' and deptno = 10; The attacker was not able to inject any new code there. (reiterates: and let postgres allow literals only in the WITH clause) > > Anyway, you hardly need new syntax to do that, I'd expect > > WITH SELECT 'clerk' AS c_jobrole ... > > to accomplish it just fine. > I am not sure I understood this example. Best regards, -- [EMAIL PROTECTED] [EMAIL PROTECTED] gmail | hotmail | indiatimes | yahoo }.com EnterpriseDB http://www.enterprisedb.com Mail sent from my BlackLaptop device
