From: Tino Wildenhain [mailto:tino@xxxxxxxxxxxxx]
Sent: Tue 10/25/2005 11:22 AM
To: surabhi.ahuja
Cc: Richard Huxton; Stephan Szabo; pgsql-general@xxxxxxxxxxxxxx
Subject: Re: a stored procedure ..with integer as the parameter
***********************
Your mail has been scanned by
InterScan VirusWall.
***********-***********
Am Dienstag, den
25.10.2005, 10:24 +0530 schrieb surabhi.ahuja:
> oops i am
sorry,
> i mean from the client i ll be getting values (which i need to
insert
> into the table) in the form of strings:
>
> and
i form the insert command as follows:
>
> function(char *a,
char *b, char *c)
> {
> char command[1024];
> sprintf(command,
"select insert('%s','%s','%s')", a,b,c);
> execute the above
command;
> }
>
> the above is just the pseudo
code
>
> the stored procedure in turn is as follows
(psudocode):
>
> insert(smallint , smallint,
varchar(256))
> begin
> insert into table 1 values ($1, $2,
$3);
> end
I'm not sure this serves much purpose if it isnt
just
for experimenting ;)
char -> int is simply done by casting
(even automatically)
so your insert reduces to:
INSERT INTO table1
(col_a,col_b,col_c) VALUES (a,b,c);
(with or w/o stored
function)
simply sprintf into a string can be a very serious
security
hole btw.
