Re: DML value format

From: Kev <kevinjamesfield(at)gmail(dot)com>
To: pgsql-general(at)postgresql(dot)org
Subject: Re: DML value format
Date: 2007-08-10 12:07:19
Message-ID: 1186747639.775251.131750@x40g2000prg.googlegroups.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Aug 10, 6:56 am, atec_p(dot)(dot)(dot)(at)yahoo(dot)es (Alejandro Torras) wrote:
> -- English --
> Hi,
>
> Is there some way to put values in a INSERT statement
> without taking care of apostrophes?
>
> In example:
> INSERT INTO persons VALUES ('Harry', 'O'Callaghan');
> ^^^^^^^^^^^
>
> I think that it can be used some kind of length-marker
> to help the parsing of the value.
>
> In example:
> INSERT INTO persons VALUES ('Harry', @11:O'Callaghan);
>
> I think this approach could help reducing the sql
> injections.

If you're worried about sql injections, I'm not sure what kind of
client library you're using to access your pgsql database, but most of
them should have placeholder capability, I think, which definitely
takes care of that. Your statement would become INSERT INTO persons
VALUES (?, ?) and then you would pass the execution function your two
values and it would escape them properly for you. At least that's how
it works with Perl and DBI.

Kev

In response to

Browse pgsql-general by date

  From Date Subject
Next Message A. Kretschmer 2007-08-10 12:42:48 Re: Database Select Slow
Previous Message Alejandro Torras 2007-08-10 10:56:06 [PROPOSAL] DML value format