Preventing SQL injection with stored procedures
Posted Jun 1, 2006 4:29 UTC (Thu) by xoddam
In reply to: Preventing SQL injection with stored procedures
Parent article: SQL injection vulnerabilities in PostgreSQL
Your example prepares the procedure using untrusted input, so the
prepared query itself is untrustworthy.
Preparing stored queries without using untrusted input requires the use
of placeholders for the arguments, and passing the input *later* when the
query is executed. Then no untrusted input will ever be parsed as SQL so
there is no injection vulnerability.
to post comments)