> *From:* Asko Oja [mailto:asc...@gmail.com]
> *Sent:* Wednesday, September 15, 2010 2:29 PM
> *To:* Igor Neyman
> *Cc:* Tatarnikov Alexander; pgsql-sql@postgresql.org
> *Subject:* Re: [SQL] Use "CREATE USER" in plpgsql function - Found word(s)
>
From: Asko Oja [mailto:asc...@gmail.com]
Sent: Wednesday, September 15, 2010 2:29 PM
To: Igor Neyman
Cc: Tatarnikov Alexander; pgsql-sql@postgresql.org
Subject: Re: [SQL] Use "CREATE USER" in plpgsql functi
> -Original Message-
> From: Asko Oja [mailto:asc...@gmail.com]
> Sent: Wednesday, September 15, 2010 2:29 PM
> To: Igor Neyman
> Cc: Tatarnikov Alexander; pgsql-sql@postgresql.org
> Subject: Re: [SQL] Use "CREATE USER" in plpgsql function -
> Found word
And dynamic SQL leads easily to SQL injection so quoting is required there.
execute 'create user ' || quote_ident(i_username) || ' password ' ||
quote_literal(i_password);
On Wed, Sep 15, 2010 at 5:26 PM, Igor Neyman wrote:
>
>
> > -Original Message-
> > From: Tatarnikov Alexand
> -Original Message-
> From: Tatarnikov Alexander [mailto:cank...@gmail.com]
> Sent: Wednesday, September 15, 2010 12:05 AM
> To: pgsql-sql@postgresql.org
> Subject: Use "CREATE USER" in plpgsql function
>
> Hello!
>
> I have function wich check user credentials and if test
> passed
2010/9/15 Tatarnikov Alexander :
> Thanks for response!
>
> Here is function
>
> CREATE USER creds."userName" WITH PASSWORD creds."userPassword"
> IN GROUP ta_users; - there is error occured
You can not use variables for non-data entities. Use the dynamic SQL instead:
EXECUTE 'CREATE
Hi,
On 15 September 2010 08:05, Tatarnikov Alexander wrote:
> Hello!
>
> I have function wich check user credentials and if test passed function must
> create new user with generated username and password.
>
> Language is plpgsql.
>
> so question is how to "unembrace" this parameter (i mean creds
