| From: | Richard Huxton <dev(at)archonet(dot)com> |
|---|---|
| To: | Scott Frankel <frankel(at)circlesfx(dot)com> |
| Cc: | PostgreSQL List <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: PQescapeStringConn |
| Date: | 2010-07-30 08:13:17 |
| Message-ID: | 4C52899D.7080206@archonet.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 30/07/10 07:52, Scott Frankel wrote:
> I have a number of very long strings that each contain many instances of
> semi-colons, single quotes, forward and back slashes, etc. I'm looking
> for an efficient and safe way to write them to my db using a prepared
> statement.
What language? From "C"?
> PREPARE fooprep (VARCHAR(32), text, text) AS
> INSERT INTO foo (name, description, body) VALUES ($1, $2, $3);
> EXECUTE fooprep('foo1', 'this is foo1',
This is basically PQprepare+PQexecPrepared, or PQexecParams if you want
to do both in one step. There is no need to escape strings if they are
passed as parameters - the library knows it's a string and handles that
for you.
Where you *do* have to worry about escaping strings is if you are
building up a query and have e.g. a varying table-name. It's legal for
table names to contain spaces etc. but they need to be quoted correctly.
Every application language will have its own library, but they all have
a similar prepare+exec option (and I think most use the "C" libpq
interface underneath).
--
Richard Huxton
Archonet Ltd
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dean Rasheed | 2010-07-30 08:14:23 | Re: Comparison of Oracle and PostgreSQL full text search |
| Previous Message | Scott Frankel | 2010-07-30 06:52:15 | PQescapeStringConn |