| From: | Michael Fuhr <mike(at)fuhr(dot)org> |
|---|---|
| To: | operationsengineer1(at)yahoo(dot)com |
| Cc: | "pgsql-novice(at)postgresql(dot)org" <pgsql-novice(at)postgresql(dot)org> |
| Subject: | Re: Bind Variables and Quoting / Dequoting Input |
| Date: | 2005-12-10 01:58:27 |
| Message-ID: | 20051210015827.GA17631@winnie.fuhr.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-novice |
On Fri, Dec 09, 2005 at 06:22:29PM -0700, Michael Fuhr wrote:
> On Fri, Dec 09, 2005 at 01:54:13PM -0800, operationsengineer1(at)yahoo(dot)com wrote:
> > do i need to quote input even though i'm using bind
> > variables in my queries?
> >
> > i seem to think that quoting on entry and unquoting on
> > return was a method for fighting sql injection, but
> > i'm also thinking that bind variables may make that
> > step meaningless.
>
> Using placeholders should eliminate the need to quote, either by
> quoting for you or by using the underlying protocol's mechanism for
> parameterized queries.
I might have misunderstood what you meant by "bind variables."
Could you explain exactly what you're doing?
--
Michael Fuhr
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Matt Arnilo S. Baluyos (Mailing Lists) | 2005-12-10 02:10:27 | Sorting empty rows at the bottom of a recordset |
| Previous Message | Michael Fuhr | 2005-12-10 01:22:29 | Re: Bind Variables and Quoting / Dequoting Input |