Re: SQL Injection possible on custom functions
| От | Tom Lane |
|---|---|
| Тема | Re: SQL Injection possible on custom functions |
| Дата | |
| Msg-id | 29269.1108399506@sss.pgh.pa.us обсуждение |
| Ответ на | SQL Injection possible on custom functions ("Bogdan Tomchuk" <tbp-dsi@poly.polytechnique.fr>) |
| Список | pgsql-general |
"Bogdan Tomchuk" <tbp-dsi@poly.polytechnique.fr> writes:
> My question is: if we imagine that input of UpdateAccount has no =
> filtration or this filtration incorrect does exist any way to modify =
> other then authorized parameters of Accounts table or records of other =
> user? Is there any injection technique possible? Should I still do =
> something like quote_literal() systematically on each parameters and =
> reverse conversation each time? Or even replace UPDATE.. by EXECUTE =
No. The code as you wrote it is perfectly secure --- plpgsql variables
are placeholders, their values aren't injected literally into the SQL
command. If you went over to using EXECUTE then you *would* need
quote_literal to be safe, because then you're synthesizing the complete
SQL command as a string.
regards, tom lane
В списке pgsql-general по дате отправления: