Shachar Shemesh wrote:
> Tom Lane wrote:
>> Parameters are only supported in plannable statements
>> (SELECT/INSERT/UPDATE/DELETE; I think there is some hack for DECLARE
>> CURSOR these days too).
> That's a shame.
> Aside from executing prepared statements, parameters are also useful for
> preventing SQL injections. Under those cases, they are useful for all
> commands, not only those that can be prepared.
> Oh well. I'm not sure whether that's extremely clever or downright
> insane, but I'm solving this problem by calling "Select
> quote_literal($1)" and "select quote_id($1)", and then using the results.
Create your own plpgsql function and call it.
In response to
pgsql-hackers by date
|Next:||From: Andrew Sullivan||Date: 2004-09-21 01:38:02|
|Subject: Re: signal 11 on AIX: 7.4.2|
|Previous:||From: Gaetano Mendola||Date: 2004-09-21 00:46:34|
|Subject: Re: RSS|