| From: | Ken Johanson <ken(at)kensystem(dot)com> |
|---|---|
| To: | Tony Caduto <tony(dot)caduto(at)amsoftwaredesign(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Perspective: PostgreSQL usage boon after release of |
| Date: | 2006-03-08 07:10:31 |
| Message-ID: | 440E8367.8040006@kensystem.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Tony Caduto wrote:
> Ken Johanson wrote:
>> Most of the corp folks I know who have tried using PG to augment or
>> replacement a commercial offering just tend to silently pause and
>> wait for this change.. that why this topic isn't really heard very
>> often. It's like going to a car lot to buy a SUV, but they don't have
>> any within sight.. the perspective buyer just moves on without saying
>> anything.
>
>
> I have converted databases from other DBs such as MS SQL server and
> never had a problem with string escaping, can you please post a
> example of what you mean? Do you mean inside of functions?
>
Well for a simple (for brevity) example, when you compile a query (not
via prepared stmts/argument based compilation) that takes user input,
how do you handle both backslashes and single-quotes? In practice the
way of doing this is quite different between pg and a iso-compliant db,
otherwise you have either code injection, or superfluous backslashes..
"SELECT firstName FROM tbl WHERE lastName = '"+toSql(userInput)+"' "
| From | Date | Subject | |
|---|---|---|---|
| Next Message | surabhi.ahuja | 2006-03-08 09:43:40 | regarding contains operator |
| Previous Message | Tony Caduto | 2006-03-08 06:05:38 | Re: Perspective: PostgreSQL usage boon after release of |