Hello.
I have client software that I wrote which uses parameters in function
calls to postgresql. I use quote_literal in postgresql functions.
That means I get data that is quoted when it finally ends up in the
tables which I don't want.
I know that you shouldn't trust data sent from the client, which is why
I use quote_literal on the server side, and I also know using
parameters is the best way to write client software which access an
RDBMS.
I don't want to remove the quote_literal just in case someone writes a
new client and forgets to use parameters thereby exposing an SQL
injection risk. Nor do I want to just keep quote_literal and dump
using parameters.
What is the best and most theoretically sound way to deal with this?
regards,
