Re: [GENERAL] design, plpgsql and sql injection in dynamically generated sql

2009-08-18 Thread Pavel Stehule
2009/8/18 Ivan Sergio Borgonovo : > On Tue, 18 Aug 2009 12:38:49 +0200 > Pavel Stehule wrote: > >> some unsafe function: > > I suspected something similar. > > I think many would appreciate if you put these examples here > http://www.okbob.blogspot.com/2008/06/execute-using-feature-in-postgresql-8

Re: [GENERAL] design, plpgsql and sql injection in dynamically generated sql

2009-08-18 Thread Ivan Sergio Borgonovo
On Tue, 18 Aug 2009 12:38:49 +0200 Pavel Stehule wrote: > some unsafe function: I suspected something similar. I think many would appreciate if you put these examples here http://www.okbob.blogspot.com/2008/06/execute-using-feature-in-postgresql-84.html and substitute the int example there with

Re: [GENERAL] design, plpgsql and sql injection in dynamically generated sql

2009-08-18 Thread Pavel Stehule
2009/8/18 Ivan Sergio Borgonovo : > On Mon, 17 Aug 2009 12:48:21 +0200 > Pavel Stehule wrote: > >> Hello >> >> I am not sure, if it's possible for you. PostgreSQL 8.4 has EXECUTE >> USING clause, it is 100% safe. > > Sorry I don't get it. > > How can I use USING safely when the substitution involv

Re: [GENERAL] design, plpgsql and sql injection in dynamically generated sql

2009-08-18 Thread Ivan Sergio Borgonovo
On Mon, 17 Aug 2009 12:48:21 +0200 Pavel Stehule wrote: > Hello > > I am not sure, if it's possible for you. PostgreSQL 8.4 has EXECUTE > USING clause, it is 100% safe. Sorry I don't get it. How can I use USING safely when the substitution involves a table name? The examples I've seen just in

Re: [GENERAL] design, plpgsql and sql injection in dynamically generated sql

2009-08-17 Thread Sam Mason
On Mon, Aug 17, 2009 at 12:36:49PM +0200, Ivan Sergio Borgonovo wrote: > I've several list of items that have to be rendered on a web apps in > the same way. [..] > the nature of the lists and their usage pattern is very different. > So unless someone come up with a better design I still would like

Re: [GENERAL] design, plpgsql and sql injection in dynamically generated sql

2009-08-17 Thread Pavel Stehule
Hello I am not sure, if it's possible for you. PostgreSQL 8.4 has EXECUTE USING clause, it is 100% safe. Pavel 2009/8/17 Ivan Sergio Borgonovo : > I've several list of items that have to be rendered on a web apps in > the same way. > > The structure is: > > create table items ( >  itemid int pri

[GENERAL] design, plpgsql and sql injection in dynamically generated sql

2009-08-17 Thread Ivan Sergio Borgonovo
I've several list of items that have to be rendered on a web apps in the same way. The structure is: create table items ( itemid int primary key, /* some fields */ ); create table headert1 ( ht1 int primary key, /* several other fields that varies in nature */ ); create table itemlistt1