Skip site navigation (1) Skip section navigation (2)

Re: Bind Variables and Quoting / Dequoting Input

From: <operationsengineer1(at)yahoo(dot)com>
To: Michael Fuhr <mike(at)fuhr(dot)org>
Cc: "pgsql-novice(at)postgresql(dot)org" <pgsql-novice(at)postgresql(dot)org>
Subject: Re: Bind Variables and Quoting / Dequoting Input
Date: 2005-12-12 17:05:54
Message-ID: 20051212170555.20267.qmail@web33308.mail.mud.yahoo.com (view raw or flat)
Thread:
Lists: pgsql-novice

--- Michael Fuhr <mike(at)fuhr(dot)org> wrote:

> On Fri, Dec 09, 2005 at 06:22:29PM -0700, Michael
> Fuhr wrote:
> > On Fri, Dec 09, 2005 at 01:54:13PM -0800,
> operationsengineer1(at)yahoo(dot)com wrote:
> > > do i need to quote input even though i'm using
> bind
> > > variables in my queries?
> > >
> > > i seem to think that quoting on entry and
> unquoting on
> > > return was a method for fighting sql injection,
> but
> > > i'm also thinking that bind variables may make
> that
> > > step meaningless.
> > 
> > Using placeholders should eliminate the need to
> quote, either by
> > quoting for you or by using the underlying
> protocol's mechanism for
> > parameterized queries.
> 
> I might have misunderstood what you meant by "bind
> variables."
> Could you explain exactly what you're doing?

yes... this is an adodb code snippet:

> $sql_insert = <<<_EOSQL
> INSERT INTO t_customer (customer_id, customer_name,
> customer_entry_date)
> VALUES (?,?,?)
> _EOSQL;
> 
> $result = $db->Execute($sql_insert,
> array($customer_id, $customer_name, $db->DBDate(time())));

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

In response to

pgsql-novice by date

Next:From: operationsengineer1Date: 2005-12-12 17:08:32
Subject: Re: Bind Variables and Quoting / Dequoting Input
Previous:From: A. KretschmerDate: 2005-12-12 16:47:16
Subject: Re: How to delete the oldest X number of rows?

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group