Are SQL injections in non EXECUTE rpc functions possible?
Do I understand it correct that SQL injections are NOT possible if I do NOT use the "execute keyword"?
Like this should be safe:
But this is not safe?:
Like this should be safe:
CREATE OR REPLACE FUNCTION public.search_user(
search_term text
)
RETURNS table
(
id uuid,
first_name text,
last_name text,
username text
)
LANGUAGE plpgsql
SECURITY INVOKER
AS
$$
BEGIN
RETURN QUERY
SELECT
id,
first_name,
last_name,
username
FROM
profiles
WHERE
first_name = search_term;
END
$$;But this is not safe?:
CREATE OR REPLACE FUNCTION public.search_user(
search_term text
)
RETURNS table
(
id uuid,
first_name text,
last_name text,
username text
)
LANGUAGE plpgsql
SECURITY INVOKER
AS
$$
BEGIN
RETURN QUERY ***EXECUTE***
SELECT
id,
first_name,
last_name,
username
FROM
profiles
WHERE
first_name = search_term;
END
$$;