On Mon, Jul 26, 2004 at 08:08:35AM +0200 I heard the voice of
Mage, and lo! it spake thus:
> Bill Moran wrote:
> >
> >Simply put:
> >1) If the untrusted value is a string, using a proper escape
> > sequence should make it safe.
>
> in pgsql (and mysql) you can escape almost everything.
>
> update table set a = '5' is corrent, even is column a is integer type.
> You can't escape the null value.
Which, IMO, is a great thing; I studiously trained myself to use the
escaping functions on every value I ever use in a query. If you
escape everything unconditionally, without worrying about what type
the column is, there's a lot less chance for mistakes and oversights.
--
Matthew Fuller (MF4839) | fullermd@over-yonder.net
Systems/Network Administrator | http://www.over-yonder.net/~fullermd/
"The only reason I'm burning my candle at both ends, is because I
haven't figured out how to light the middle yet"
