On Sep 14, 2009, at 12:13 AM, Pavel Stehule wrote:
2009/9/13 decibel <deci...@decibel.org>:
On Sep 12, 2009, at 5:54 PM, Andrew Dunstan wrote:
decibel wrote:
Speaking of concatenation...
Something I find sorely missing in plpgsql is the ability to put
variables inside of a string, ie:
DECLARE
v_table text := ...
v_sql text;
BEGIN
v_sql := "SELECT * FROM $v_table";
Of course, I'm assuming that if it was easy to do that it would
be done
already... but I thought I'd just throw it out there.
Then use a language that supports variable interpolation in
strings, like
plperl, plpythonu, plruby .... instead of plpgsql.
Which makes executing SQL much, much harder.
At least if we get sprintf dealing with strings might become a bit
easier...
This feature is nice - but very dangerous - it the most easy way how
do vulnerable (on SQL injection) application!
How is it any worse than what people can already do? Anyone who isn't
aware of the dangers of SQL injection has already screwed themselves.
You're basically arguing that they would put a variable inside of
quotes, but they would never use ||.
--
Decibel!, aka Jim C. Nasby, Database Architect deci...@decibel.org
Give your computer some brain candy! www.distributed.net Team #1828
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
