Re: BUG #13753: Docs for plpy.execute() miss info about quoting

The following bug has been logged on the website:

Bug reference: 13753
Logged by: Thomas Güttler
Email address: guettliml(at)thomas-guettler(dot)de
PostgreSQL version: 9.4.5
Operating system: Linux
Description:

This page misses important information:

http://www.postgresql.org/docs/9.4/static/plpython-database.html

How to quote the arguments?

The relevant information is here:
http://www.postgresql.org/docs/9.4/static/plpython-util.html

Please include a link from the execute() docs to the quoting docs.

I was trapped by a bug made by a team mate who did no quoting.

Not quoting the values of a SQL query can lead to SQL injects which are a
big security concern.

Please add a note to the docs.

Thank you.

guettliml(at)thomas-guettler(dot)de writes:
> This page misses important information:
> http://www.postgresql.org/docs/9.4/static/plpython-database.html
> How to quote the arguments?

AFAICS, none of the examples shown there require quoting of arguments,
so the issue doesn't really come up naturally.

> The relevant information is here:
> http://www.postgresql.org/docs/9.4/static/plpython-util.html
> Please include a link from the execute() docs to the quoting docs.

We cannot put everything on one page; that will not make it more
readable or understandable.

regards, tom lane