| From: | Tino Wildenhain <tino(at)wildenhain(dot)de> |
|---|---|
| To: | Steve Atkins <steve(at)blighty(dot)com> |
| Cc: | PostgreSQL General <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Secure "where in(a,b,c)" clause. |
| Date: | 2008-04-04 14:05:45 |
| Message-ID: | 47F635B9.60504@wildenhain.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Steve Atkins wrote:
...
> I count the number of values that I want to put in the IN () clause,
> then create a query string with the right number of bind variables
> in the in clause, then bind the values.
>
> So for {1, 3, 5} I'd use "select * from foo where bar in (?, ?, ?)" and for
> {1,5,7,9,11} I'd use "select * from foo where bar in (?, ?, ?, ?, ?)"
>
> Then, in perl-speak, I prepare that string into a query, loop through
> all my values and bind them one by one, then execute the query.
You mean something like:
items=(1,2,5,6,9)
cursor.execute("SELECT ... FROM foo where bar in (%s)" %
','.join('?'*len(items)),items)
? :-)
Oh.. I forgot he said PHP...
SCNR
Tino
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew Dunstan | 2008-04-04 14:17:30 | Re: modules |
| Previous Message | Glyn Astill | 2008-04-04 14:05:18 | ERROR: XX000: cache lookup failed for relation |