Re: How does one make the following psql statement sql-injection resilient?
| От | David G. Johnston |
|---|---|
| Тема | Re: How does one make the following psql statement sql-injection resilient? |
| Дата | |
| Msg-id | CAKFQuwZSTGUqg6pG1QaE_YVwCaneHYRpMd2FJmwmY5Wbb3OT0A@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: How does one make the following psql statement sql-injection resilient? ("David G. Johnston" <david.g.johnston@gmail.com>) |
| Ответы |
Re: How does one make the following psql statement sql-injection
resilient?
|
| Список | pgsql-general |
On Monday, March 16, 2015, Alvaro Herrera <alvherre@2ndquadrant.com> wrote:David G. Johnston wrote:
> Thanks! I got the gist even with the typo. I actually pondered about
> prepare/execute after hitting send. Am I correct in remembering that
> "CREATE TEMP TABLE" cannot be prepared? I was using the actual query with
> CREATE TEMP TABLE and then issuing "\copy" to dump the result out to the
> file. The limitation of copy to having to be written on a single line
> makes the intermediary temporary table seem almost a necessity.
CREATE TEMP TABLE AS EXECUTEThanks.Though unless I need to work on the temp table I think:PREPARE ...;\copy (EXECUTE ...) TO '~/temp.csv' ...;Gives the best of all worlds.
Except that server "COPY" only is documented to accept a "query" that begins with either SELECT or VALUES :(
I hereby voice my desire for EXECUTE to be usable as well.
David J.
В списке pgsql-general по дате отправления: