| From: | "Karen Hill" <karen_hill22(at)yahoo(dot)com> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Best way to deal with quote_literal issue? |
| Date: | 2006-07-06 19:27:52 |
| Message-ID: | 1152214072.755638.190510@75g2000cwc.googlegroups.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Hello.
I have client software that I wrote which uses parameters in function
calls to postgresql. I use quote_literal in postgresql functions.
That means I get data that is quoted when it finally ends up in the
tables which I don't want.
I know that you shouldn't trust data sent from the client, which is why
I use quote_literal on the server side, and I also know using
parameters is the best way to write client software which access an
RDBMS.
I don't want to remove the quote_literal just in case someone writes a
new client and forgets to use parameters thereby exposing an SQL
injection risk. Nor do I want to just keep quote_literal and dump
using parameters.
What is the best and most theoretically sound way to deal with this?
regards,
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Thomas Hallgren | 2006-07-06 20:02:44 | Re: [GENERAL] UUID's as primary keys |
| Previous Message | Karl O. Pinc | 2006-07-06 18:57:56 | Long term database archival |