pl/pgsql vs prepared statements against sql injection attacks

Question

I have more experience with prepared statements and I know they are really good against SQL injection attacks.

I was wondering if the format/USING and quote_literal/quote_nullable of pl/pgsql, are equally efficient, given the fact that prepared statements have some vulnerabilities too (check here and here).

So, is pl/pgsql safety in the same level like prepared statements? Should I consider my self safe and covered with format/USING / quote_literal/quote_nullable or I have to do more, to be more safe?

Answer 1

EXECUTE with USING in PL/pgSQL is 100% safe from SQL injection. The examples you quote are not relevant.

Quoting is only safe if you do it properly. This is why it is not as good as using parameters.

A statement with placeholders that uses USING is processed as a prepared statement, and the arguments given to USING become the arguments of the prepared statement. The text in the arguments is never parsed as part of the SQL statement, so SQL injection is impossible.