0 
CREATE OR REPLACE FUNCTION increment(key character varying)
RETURNS character varying AS $$
BEGIN
       SELECT code, name from tbl where $1;
END;
$$ LANGUAGE plpgsql;


select * from increment('code = ''ati'' ');

=> notice error "where $1 ";

Improve this question
4
  • 1
    where $1 means $1 is boolean - and define varchar... maybe you meant SELECT code, name from tbl where name = $1;?.. Commented Oct 27, 2017 at 9:50
  • you've got error in where clause, should be something like where column = $1 Commented Oct 27, 2017 at 9:52
  • I know. But parameter in function is 'name = ...' Commented Oct 27, 2017 at 9:54
  • For future reference, you should always include the full error message you receive, not just a summary of what you think it means. There may be details in the message which you don't understand, or think are not important, that other people can explain to you, or will help them understand the problem. Commented Oct 27, 2017 at 10:59

2 Answers 2

Reset to default
1

what you try to do is prune to SQL injection, eg:

t=# CREATE OR REPLACE FUNCTION increment(key character varying)
RETURNS character varying AS $$
BEGIN
 return format('SELECT code, name from tbl where %s',$1);
END;
$$ LANGUAGE plpgsql;
CREATE FUNCTION
Time: 1.179 ms
t=# select * from increment('code = ''ati'' ');
                   increment
------------------------------------------------
 SELECT code, name from tbl where code = 'ati'
(1 row)

but you don't control what statement is returned, look here:

t=# select * from increment('true; drop table b;');
                      increment
------------------------------------------------------
 SELECT code, name from tbl where true; drop table b;
(1 row)
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

maybe execute the key in dsql to see if it returns true: execute 'select ' || key into some_boolean. If it throws an error then don't execute the rest.
do $$ begin execute 'select true; drop table b;'; end; $$ ; safely dropt table
@JustMe That won't help; the attacker can just adjust their attack to work in the context of the first EXECUTE instead. There is a huge body of research into different ways of constructing SQL Injection attacks for different contexts.
1

A function does not simply concatenate the variables you give it and run the resulting SQL, so you can't pass a whole WHERE clause in as a parameter like that.

The biggest reason for this is security: input to a function might ultimately have come from an untrusted user (e.g. input from a website), and you don't want them to be able to arbitrarily change your query. It would also be awkward to use: if you wanted to search for the surname O'Reilly, functions would break if they didn't keep track of whether the ' was escaped or not.

So instead queries and data are kept separate - the only time WHERE $1 will work is if $1 is a boolean. Similarly, WHERE name=$1 will only ever compare name against an appropriate value (probably text or varchar), etc.

All that said, if you really have need for a dynamic SQL query, which occasionally happens, but not very often if you've designed your DB well, you can use a plpgsql function with an EXECUTE statement.

In this case, you probably just want the input to be the value of code, and the query to check that explicitly:

SELECT code, name from tbl where code = $1;

You can then add variant functions for different use cases, or have explicit boolean flags like search_by_name which select different queries, all without the risk and complexity of dynamic SQL.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.