Quick Links

Re: to escape or not to

From:	Merlin Moncure <mmoncure(at)gmail(dot)com>
To:	"Jean-Yves F(dot) Barbier" <12ukwn(at)gmail(dot)com>
Cc:	pgsql-novice(at)postgresql(dot)org
Subject:	Re: to escape or not to
Date:	2011-06-22 14:04:02
Message-ID:	BANLkTikN0YLuJQ69vAUzOS5Jbe6dhEV09g@mail.gmail.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-novice

On Wed, Jun 22, 2011 at 8:49 AM, Jean-Yves F. Barbier <12ukwn(at)gmail(dot)com> wrote:
> Hi list,
>
> As of '39.5: plpgsql-statements', it is said that using '$n' instead of a named
> variable is prefered and less sensitive to a SQL injection.
>
> Does it really mean if I use $n I don't have to 'quote_xxxxxx' any of these
> variables?

that is correct. (by the way, we are talking about dynamic statements
with 'execute' here).

merlin

In response to

to escape or not to at 2011-06-22 13:49:07 from Jean-Yves F. Barbier

Responses

Re: to escape or not to at 2011-06-22 19:05:33 from Jean-Yves F. Barbier

Browse pgsql-novice by date

	From	Date	Subject
Next Message	Jean-Yves F. Barbier	2011-06-22 19:05:33	Re: to escape or not to
Previous Message	Jean-Yves F. Barbier	2011-06-22 13:53:56	change to session_user in a security definer function