2011/1/19 Heikki Linnakangas <heikki.linnakan...@enterprisedb.com>: > On 19.01.2011 12:53, Pavel Stehule wrote: >> >> The EXECUTE statement doesn't support a parametrization via >> SPI_execute_with_args call and PQexecParams too. It can be a security >> issue. If somebody use a prepared statement as protection to sql >> injection, then all security goes out, because he has to call EXECUTE >> without parametrization. > > Why don't you use SPI_prepare and SPI_open_query ?
I have to execute a session's prepared statement - created with PREPARE statement. Pavel > > -- > Heikki Linnakangas > EnterpriseDB http://www.enterprisedb.com > -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
