Re: BUG #15794: Defects regarding stored procedure parameters
| От | David G. Johnston |
|---|---|
| Тема | Re: BUG #15794: Defects regarding stored procedure parameters |
| Дата | |
| Msg-id | CAKFQuwbzOdxFDN80aXRaw26jgyb8W0MY6i_pwz1SuiPQFq-T=Q@mail.gmail.com обсуждение исходный текст |
| Ответ на | BUG #15794: Defects regarding stored procedure parameters (PG Bug reporting form <noreply@postgresql.org>) |
| Список | pgsql-bugs |
On Tue, May 7, 2019 at 1:47 AM PG Bug reporting form <noreply@postgresql.org> wrote:
The following bug has been logged on the website:
Bug reference: 15794
Not a bug.
When the parameter name of the stored procedure is the same as the table
field name of the update statement, a problem is caused: "field association
is ambiguous."
See in particular the note. But usually parameters names are constructed uniquely in order to simply avoid this issue.
(this function also have a problem, PostgreSQL after 9, SQL string escape is
cumbersome)
Then don't use string escaping to build dynamic SQL, use the recommended format() function.
v_sql := 'UPDATE public.student SET name = ' || E'\'' ||
update_student.name || E'\'' ||
' WHERE id = ' || E'\'' || id || E'\'' || ';';
EXECUTE v_sql;
I don't even want to try and understand or explain how broken the above might be...but I doubt it does what you think plus its vulnerable to SQL injection.
David J.
В списке pgsql-bugs по дате отправления: