Unix Technical Forum - View Single Post

#40 (**permalink**) 05-02-2008, 06:06 AM

"Gurjeet Singh" <singh.gurjeet@gmail.com> writes:
> Maybe we can extend the SQL's WITH clause do declare the constant along with
> the query, and not separate from the query.

> WITH CONSTANT c_jobrole = 'clerk', CONSTANT c_dept = 10
> SELECT * FROM emp WHERE jobrole = c_jobrole and deptno = c_dept;

[ scratches head... ] And that will provide SQL injection protection how?

Anyway, you hardly need new syntax to do that, I'd expect

WITH SELECT 'clerk' AS c_jobrole ...

to accomplish it just fine.

regards, tom lane

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Thread: Protection from SQL injection View Single Post

Thread: Protection from SQL injection
View Single Post