"Bogdan Tomchuk" <tbp-dsi@poly.polytechnique.fr> writes:
> My question is: if we imagine that input of UpdateAccount has no =
> filtration or this filtration incorrect does exist any way to modify =
> other then authorized parameters of Accounts table or records of other =
> user? Is there any injection technique possible? Should I still do =
> something like quote_literal() systematically on each parameters and =
> reverse conversation each time? Or even replace UPDATE.. by EXECUTE =
No. The code as you wrote it is perfectly secure --- plpgsql variables
are placeholders, their values aren't injected literally into the SQL
command. If you went over to using EXECUTE then you *would* need
quote_literal to be safe, because then you're synthesizing the complete
SQL command as a string.
regards, tom lane