| From: | Kev <kevinjamesfield(at)gmail(dot)com> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: DML value format |
| Date: | 2007-08-10 12:07:19 |
| Message-ID: | 1186747639.775251.131750@x40g2000prg.googlegroups.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Aug 10, 6:56 am, atec_p(dot)(dot)(dot)(at)yahoo(dot)es (Alejandro Torras) wrote:
> -- English --
> Hi,
>
> Is there some way to put values in a INSERT statement
> without taking care of apostrophes?
>
> In example:
> INSERT INTO persons VALUES ('Harry', 'O'Callaghan');
> ^^^^^^^^^^^
>
> I think that it can be used some kind of length-marker
> to help the parsing of the value.
>
> In example:
> INSERT INTO persons VALUES ('Harry', @11:O'Callaghan);
>
> I think this approach could help reducing the sql
> injections.
If you're worried about sql injections, I'm not sure what kind of
client library you're using to access your pgsql database, but most of
them should have placeholder capability, I think, which definitely
takes care of that. Your statement would become INSERT INTO persons
VALUES (?, ?) and then you would pass the execution function your two
values and it would escape them properly for you. At least that's how
it works with Perl and DBI.
Kev
| From | Date | Subject | |
|---|---|---|---|
| Next Message | A. Kretschmer | 2007-08-10 12:42:48 | Re: Database Select Slow |
| Previous Message | Alejandro Torras | 2007-08-10 10:56:06 | [PROPOSAL] DML value format |