| From: | Vivek Khera <vivek(at)khera(dot)org> |
|---|---|
| To: | pgsql-sql(at)postgresql(dot)org |
| Subject: | Re: question |
| Date: | 2005-08-30 14:59:01 |
| Message-ID: | 9158F005-5B73-405A-8CD6-97D6B4621F62@khera.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general pgsql-sql |
On Aug 24, 2005, at 1:05 AM, Matt A. wrote:
> We used nullif('$value','') on inserts in mssql. We
> moved to postgres and love it but the nullif() doesn't
> match empty strings to each other to return null other
> than a text type, causing an error. This is a major
> part of our application.
I *certainly* hope you're not passing $value in straight from your
web form directly into the SQL. You're opening yourself up for SQL
injection attacks.
Why not just have your app that reads the form generate the proper
value to insert? That is the safe route.
Vivek Khera, Ph.D.
+1-301-869-4449 x806
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2005-08-30 15:05:19 | Re: Planner create a slow plan without an available index |
| Previous Message | Sim Zacks | 2005-08-30 14:43:17 | or kills performance |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Thomas F. O'Connell | 2005-08-30 15:13:48 | Re: Numerical variables in pqsql statements |
| Previous Message | Halley Pacheco de Oliveira | 2005-08-30 13:43:33 | Re: question |