In this post, I demonstrate 2 variations of supplying function parameters to a PLpgSQL function. Read on and see how...https://joshuaotwell.com/function-parameters-in-a-plpgsql-function-how-they-are-accessed/ …
-
-
Replying to @j2112o
There is no SQL injection issue here. There never is, in PLpgSQL, unless you use one of the EXECUTE constructs or pass parameter values to another function which is itself unsafe (e.g. from tablefunc or dblink).
1 reply 0 retweets 3 likes -
Replying to @RhodiumToad
Why or how is PLpgSQL safe from SQL injection?
3 replies 0 retweets 0 likes -
Replying to @j2112o @RhodiumToad
PLpgSQL, as a language, is neither safe nor unsafe from SQL injection. The SQL injection is just a category of bug, and one need to look at a piece of code to know whether it has this bug.
1 reply 0 retweets 1 like
It's safe in that the default mode of query execution (writing the query in the function, rather than using any EXECUTE variant) is not subject to injection regardless of what you do wrong.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.