mt_1990 wrote:Is there a secure function which returns SQL query from command?
Expecting result:
Code: Select all
"SELECT * FROM a WHERE subject like 'String with possible sql injection.'";
PostgreSQL does not allow getting a query string of such kind. You create the following query:
Code: Select all
SELECT * FROM a WHERE subject like @SUBJECT
After the command is prepared, it looks like the following:
Code: Select all
SELECT * FROM a WHERE subject like $1
The server returns a handle to this statement to the application. When executing the statement again each time only parameter value is sent to the server. It leads to the following:
1. The query with the parameter value, like "SELECT * FROM a WHERE subject like 'String with possible sql injection.'", cannot be retrieved. It doesn't exist in such a form.
2. When sending a parameter value, this value is processed as a string. Even if this string contains an SQL statement, it will not be executed, it will be processed as a string.