Re: BUG #15632: Correctly escaped strings are mishandled in function

Поиск
Список
Период
Сортировка
От David G. Johnston
Тема Re: BUG #15632: Correctly escaped strings are mishandled in function
Дата
Msg-id CAKFQuwZW884phB7OmNUCciFen2-jm0RgpnhecG0nZ=UuWQhxBw@mail.gmail.com
обсуждение исходный текст
Ответ на RE: BUG #15632: Correctly escaped strings are mishandled in function  (Kaleb Akalework <kaleb.akalework@asg.com>)
Ответы RE: BUG #15632: Correctly escaped strings are mishandled in function  (Kaleb Akalework <kaleb.akalework@asg.com>)
RE: BUG #15632: Correctly escaped strings are mishandled in function  (Kaleb Akalework <kaleb.akalework@asg.com>)
Список pgsql-bugs
Дерево обсуждения 
On Mon, Feb 11, 2019 at 11:22 AM Kaleb Akalework
<kaleb.akalework@asg.com> wrote:

>     v_sql :=          ' WITH upd AS ( ';
>     v_sql := v_sql || ' UPDATE ' || v_tpc_db_table || ' ';
>     v_sql := v_sql || ' SET topic_value = ' || v_replace_str || ' ';
>     v_sql := v_sql || ' WHERE topic_value = ''' || p_old_value || ''' ';
>     v_sql := v_sql || ' RETURNING 1 ) ';
>     v_sql := v_sql || ' SELECT COUNT(*) FROM upd ';

PostgreSQL provides two features to avoid writing SQL-injection prone
code like this.  Use one of them.

quote_literal() and related functions

The format() function and its %L and related specifiers.

You can also place "$n" placeholders into the dynamic command as pass
literals in via EXECUTE USING.

Or some combination of the above.

This is all nicely covered in the documentation for pl/pgsql regarding
executing dynamic commands.

https://www.postgresql.org/docs/11/plpgsql-statements.html#PLPGSQL-STATEMENTS-EXECUTING-DYN

David J.

В списке pgsql-bugs по дате отправления:

Предыдущее
От: Kaleb Akalework
Дата:
Сообщение: RE: BUG #15632: Correctly escaped strings are mishandled in function
Следующее
От: Kaleb Akalework
Дата:
Сообщение: RE: BUG #15632: Correctly escaped strings are mishandled in function