| From: | Michael Glaesemann <grzm(at)seespotcode(dot)net> |
|---|---|
| To: | Andrew Edson <cheighlund(at)yahoo(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Stripping apostrophes from data |
| Date: | 2007-08-20 18:34:01 |
| Message-ID: | FC287033-6E0E-4951-8C8B-369BF9BB31C6@seespotcode.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
[Please don't top post as it makes the discussion more difficult to
follow.]
On Aug 20, 2007, at 13:21 , Andrew Edson wrote:
> The dollar quoting appears to have fixed it; thank you. I
> apologize for my folly in sending out the original message.
I think this might be giving you a false sense of security. It looks
like I wasn't the only one to think you're probably doing something
unsafe. If you're interested in improving your code to make sure this
can never be a problem, look into bind variables (and prepared
statements). If you're directly interpolating variables into a query
string, you're just asking for trouble, regardless of what quoting
method you're using.
Michael Glaesemann
grzm seespotcode net
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Steve Wampler | 2007-08-20 18:53:21 | Auto-partitioning? |
| Previous Message | Ron Mayer | 2007-08-20 18:33:53 | Re: Enterprise Wide Deployment |