| From: | Richard Huxton <dev(at)archonet(dot)com> |
|---|---|
| To: | "surabhi(dot)ahuja" <surabhi(dot)ahuja(at)iiitb(dot)ac(dot)in> |
| Cc: | Tino Wildenhain <tino(at)wildenhain(dot)de>, Stephan Szabo <sszabo(at)megazone(dot)bigpanda(dot)com>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: a stored procedure ..with integer as the parameter |
| Date: | 2005-10-26 07:10:26 |
| Message-ID: | 435F2BE2.7060308@archonet.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
surabhi.ahuja wrote:
> what do u suggest i do then in that case?
> i mean how should i make a query - i mean how do i make a command?
You should always provide well-defined escaping to all data coming from
a non-trusted source (i.e. outside your application) and preferably to
all data in any case.
If you are using "C" then libpq offers functions to escape strings.
Almost all other languages offer something similar.
In general, I never use "raw" functions to build my queries, I have
wrapper functions that ensure all queries are well-formed.
What language are you using, and what framework?
--
Richard Huxton
Archonet Ltd
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tino Wildenhain | 2005-10-26 07:15:20 | Re: a stored procedure ..with integer as the parameter |
| Previous Message | Andreas Kretschmer | 2005-10-26 07:02:20 | Re: Dump only functions... |