"Bogdan Tomchuk" <tbp-dsi@xxxxxxxxxxxxxxxxxxxxx> writes: > My question is: if we imagine that input of UpdateAccount has no = > filtration or this filtration incorrect does exist any way to modify = > other then authorized parameters of Accounts table or records of other = > user? Is there any injection technique possible? Should I still do = > something like quote_literal() systematically on each parameters and = > reverse conversation each time? Or even replace UPDATE.. by EXECUTE = No. The code as you wrote it is perfectly secure --- plpgsql variables are placeholders, their values aren't injected literally into the SQL command. If you went over to using EXECUTE then you *would* need quote_literal to be safe, because then you're synthesizing the complete SQL command as a string. regards, tom lane ---------------------------(end of broadcast)--------------------------- TIP 7: don't forget to increase your free space map settings
