Skip site navigation (1) Skip section navigation (2)

Re: to escape or not to

From: Merlin Moncure <mmoncure(at)gmail(dot)com>
To: "Jean-Yves F(dot) Barbier" <12ukwn(at)gmail(dot)com>
Cc: pgsql-novice(at)postgresql(dot)org
Subject: Re: to escape or not to
Date: 2011-06-22 14:04:02
Message-ID: BANLkTikN0YLuJQ69vAUzOS5Jbe6dhEV09g@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-novice
On Wed, Jun 22, 2011 at 8:49 AM, Jean-Yves F. Barbier <12ukwn(at)gmail(dot)com> wrote:
> Hi list,
>
> As of '39.5: plpgsql-statements', it is said that using '$n' instead of a named
> variable is prefered and less sensitive to a SQL injection.
>
> Does it really mean if I use $n I don't have to 'quote_xxxxxx' any of these
> variables?

that is correct. (by the way, we are talking about dynamic statements
with 'execute' here).

merlin

In response to

Responses

pgsql-novice by date

Next:From: Jean-Yves F. BarbierDate: 2011-06-22 19:05:33
Subject: Re: to escape or not to
Previous:From: Jean-Yves F. BarbierDate: 2011-06-22 13:53:56
Subject: change to session_user in a security definer function

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group