firebird/firebird-mirror
firebird/firebird-mirror
8
0
Fork 1
mirror of https://github.com/FirebirdSQL/firebird.git synced 2025-02-02 10:00:38 +01:00
Code Issues

Added security note

Browse Source
This commit is contained in:
alexpeshkoff 2003-10-06 13:22:11 +00:00
parent 0388fe4dc3
commit 75c35844b8
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
doc/sql.extensions/README.execute_statement
View File

@ -94,8 +94,8 @@ END
N O T E S
=========
For all forms of EXECUTE STATEMENT SQL, the DSQL string can not contain any
parameters. All variable substitution into the static part of the SQL
I. For all forms of EXECUTE STATEMENT SQL, the DSQL string can not contain
any parameters. All variable substitution into the static part of the SQL
statement should be performed before EXECUTE STATEMENT.
EXECUTE STATEMENT is potentially dangerous, because:
@ -122,3 +122,8 @@ correct datatype. This helps to avoid some errors where unpredictable
type-casting would otherwise cause exceptions in some conditions but not
in others. For example, the string '1234' would convert to an int 1234,
but 'abc' would give a conversion error.
II. If the stored procedure has special privileges on some objects, the
dynamic statement submitted in the EXECUTE STATEMENT string does not
inherit them. Privileges are restricted to those granted to the user who
is executing the procedure.