From: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
---|---|
To: | Jym Morton <jym(at)outlook(dot)com> |
Cc: | "pgsql-docs(at)postgresql(dot)org" <pgsql-docs(at)postgresql(dot)org> |
Subject: | Re: Further Clarification request |
Date: | 2017-08-09 23:17:51 |
Message-ID: | CAKFQuwYS8k+qvsPXBWc-2yp08QkHtm_pD_bD5eKuSGZWJA4ebw@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-docs |
On Wed, Aug 9, 2017 at 4:03 PM, David G. Johnston <
david(dot)g(dot)johnston(at)gmail(dot)com> wrote:
> On Wed, Aug 9, 2017 at 3:21 PM, Jym Morton <jym(at)outlook(dot)com> wrote:
>
>> When I write software, and use a database I don’t need to escape literals
>> if I have a Prepared Statement. This is a major reason some of us use
>> Prepared Statements. So, when I looked at this page, I was unclear about
>> was whether it or not I had to do it.
>>
>
> (pseudo-code)
> PREPARE 'SELECT $1';
> EXECTUE ('; TRUNCATE pg_catalog');
>
>
To be clear - you only need to escape the single quote once - to write the
original literal.
EXECUTE ('bob''s niece') -- bob's niece, with no risk of SQL injection
David J.
From | Date | Subject | |
---|---|---|---|
Next Message | Peter Eisentraut | 2017-08-10 12:37:25 | Re: Syntax for changing owner on sequence is not correct |
Previous Message | David G. Johnston | 2017-08-09 23:03:16 | Re: Further Clarification request |