On Wednesday 10 September 2003 18:47, D. Stimits wrote:
>
> I found a partial answer to this...it seems to be a bug in
> PQescapeString(). Turns out that if I do something with an insert using
> quotes for a varchar field, e.g.:
> INSERT INTO foo VALUES ('bar')
>
> ...then it escapes this to:
> INSERT INTO foo VALUES (''bar'')
>
> It doesn't like the pair of single quotes.
>
> But I also can't do this, due to requirements of SQL syntax:
> INSERT INTO foo VALUES (bar)
>
> How can I use PQescapeString() with input I would like to make somewhat
> safer via escaping? How would I use PQescapeString() without writing my
> own replacement that works with inserts?
I think the idea is to escape just the parameters to the SQL statement. So
(not in C syntax):
query = "INSERT INTO foo values ('" + PQescapeString("O'Neill") + "')"
This will double the single-quote in O'Neill.
I tend to use higher-level languages where this sort of thing is handled by
functions in e.g. Perl's DBI layer. If there isn't a suitable interface layer
available, you could write your own that does something like:
query = build_sql("INSERT INTO foo values (?,'?')", 1, "fred");
I can't believe there isn't something like this available though.
--
Richard Huxton
Archonet Ltd
