On 19.01.2011 12:53, Pavel Stehule wrote:
The EXECUTE statement doesn't support a parametrization via SPI_execute_with_args call and PQexecParams too. It can be a security issue. If somebody use a prepared statement as protection to sql injection, then all security goes out, because he has to call EXECUTE without parametrization.
Why don't you use SPI_prepare and SPI_open_query ? -- Heikki Linnakangas EnterpriseDB http://www.enterprisedb.com -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
