Search Postgresql Archives

Re: libpq: What can and cannot be bound? How to know?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2023-06-21 at 11:00 +0200, Dominique Devienne wrote:
> For example with [NOTIFY][1]. The doc states:
> 
> > Payload: This must be specified as a simple string literal
> 
> Does that mean we cannot bind the payload?
> I.e. the pseudo code:
> ```
> conn.exec(bind(msg), "NOTIFY {} $1", conn.escapeName(channel));
> ```
>  is invalid? And I must use instead
> ```
> conn.exec("NOTIFY {} {}", conn.escapeName(channel), conn.escapeLiteral(msg))`?
> ```
> I can try, of course, but could there be a obvious way to know what can and cannot be bound, just from the doc?
> 
> That would make it easier to deal with SQL injection to be able to bind for example.
> And knowing what can be bound would be useful.

This is not adequately documented.

The documentation for PREPARE says:

  Any SELECT, INSERT, UPDATE, DELETE, MERGE, or VALUES statement.

so NOTIFY is not supported.  However, you need some inside knowledge to know
that what you are running is an "unnamed prepared statement" and that the limitation
stated in PREPARE applies.

Yours,
Laurenz Albe






[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]

  Powered by Linux