Are SQL injections in non EXECUTE rpc functions possible?

Do I understand it correct that SQL injections are NOT possible if I do NOT use the "execute keyword"?

Like this should be safe:

CREATE OR REPLACE FUNCTION public.search_user(
    search_term text
)
    RETURNS table
            (
                id         uuid,
                first_name text,
                last_name  text,
                username   text
            )
    LANGUAGE plpgsql
    SECURITY INVOKER
AS
$$
BEGIN
    RETURN QUERY
        SELECT
            id,
            first_name,
            last_name,
            username
        FROM
            profiles
        WHERE
            first_name = search_term;
END
$$;

CREATE OR REPLACE FUNCTION public.search_user(
    search_term text
)
    RETURNS table
            (
                id         uuid,
                first_name text,
                last_name  text,
                username   text
            )
    LANGUAGE plpgsql
    SECURITY INVOKER
AS
$$
BEGIN
    RETURN QUERY
        SELECT
            id,
            first_name,
            last_name,
            username
        FROM
            profiles
        WHERE
            first_name = search_term;
END
$$;

But this is not safe?:

CREATE OR REPLACE FUNCTION public.search_user(
    search_term text
)
    RETURNS table
            (
                id         uuid,
                first_name text,
                last_name  text,
                username   text
            )
    LANGUAGE plpgsql
    SECURITY INVOKER
AS
$$
BEGIN
    RETURN QUERY ***EXECUTE***
        SELECT
            id,
            first_name,
            last_name,
            username
        FROM
            profiles
        WHERE
            first_name = search_term;
END
$$;

CREATE OR REPLACE FUNCTION public.search_user(
    search_term text
)
    RETURNS table
            (
                id         uuid,
                first_name text,
                last_name  text,
                username   text
            )
    LANGUAGE plpgsql
    SECURITY INVOKER
AS
$$
BEGIN
    RETURN QUERY ***EXECUTE***
        SELECT
            id,
            first_name,
            last_name,
            username
        FROM
            profiles
        WHERE
            first_name = search_term;
END
$$;

Are SQL injections in non EXECUTE rpc functions possible?

Do I understand it correct that SQL injections are NOT possible if I do NOT use the "execute keyword"?

Like this should be safe:

CREATE OR REPLACE FUNCTION public.search_user(
    search_term text
)
    RETURNS table
            (
                id         uuid,
                first_name text,
                last_name  text,
                username   text
            )
    LANGUAGE plpgsql
    SECURITY INVOKER
AS
$$
BEGIN
    RETURN QUERY
        SELECT
            id,
            first_name,
            last_name,
            username
        FROM
            profiles
        WHERE
            first_name = search_term;
END
$$;

CREATE OR REPLACE FUNCTION public.search_user(
    search_term text
)
    RETURNS table
            (
                id         uuid,
                first_name text,
                last_name  text,
                username   text
            )
    LANGUAGE plpgsql
    SECURITY INVOKER
AS
$$
BEGIN
    RETURN QUERY
        SELECT
            id,
            first_name,
            last_name,
            username
        FROM
            profiles
        WHERE
            first_name = search_term;
END
$$;

But this is not safe?:

CREATE OR REPLACE FUNCTION public.search_user(
    search_term text
)
    RETURNS table
            (
                id         uuid,
                first_name text,
                last_name  text,
                username   text
            )
    LANGUAGE plpgsql
    SECURITY INVOKER
AS
$$
BEGIN
    RETURN QUERY ***EXECUTE***
        SELECT
            id,
            first_name,
            last_name,
            username
        FROM
            profiles
        WHERE
            first_name = search_term;
END
$$;

CREATE OR REPLACE FUNCTION public.search_user(
    search_term text
)
    RETURNS table
            (
                id         uuid,
                first_name text,
                last_name  text,
                username   text
            )
    LANGUAGE plpgsql
    SECURITY INVOKER
AS
$$
BEGIN
    RETURN QUERY ***EXECUTE***
        SELECT
            id,
            first_name,
            last_name,
            username
        FROM
            profiles
        WHERE
            first_name = search_term;
END
$$;

Are SQL injections in non EXECUTE rpc functions possible?

Similar Threads

Are SQL injections in non EXECUTE rpc functions possible?

Similar Threads

Similar Threads

Similar Threads