Home > mailing lists

Re: Bind Variables and Quoting / Dequoting Input - Mailing list pgsql-novice

From	Michael Fuhr
Subject	Re: Bind Variables and Quoting / Dequoting Input
Date	December 10, 2005 00:58:30
Msg-id	20051210015827.GA17631@winnie.fuhr.org Whole thread Raw
In response to	Re: Bind Variables and Quoting / Dequoting Input (Michael Fuhr <mike@fuhr.org>)
Responses	Re: Bind Variables and Quoting / Dequoting Input (<operationsengineer1@yahoo.com>)
List	pgsql-novice

Tree view

On Fri, Dec 09, 2005 at 06:22:29PM -0700, Michael Fuhr wrote:
> On Fri, Dec 09, 2005 at 01:54:13PM -0800, operationsengineer1@yahoo.com wrote:
> > do i need to quote input even though i'm using bind
> > variables in my queries?
> >
> > i seem to think that quoting on entry and unquoting on
> > return was a method for fighting sql injection, but
> > i'm also thinking that bind variables may make that
> > step meaningless.
>
> Using placeholders should eliminate the need to quote, either by
> quoting for you or by using the underlying protocol's mechanism for
> parameterized queries.

I might have misunderstood what you meant by "bind variables."
Could you explain exactly what you're doing?

--
Michael Fuhr

pgsql-novice by date:

From: Michael Fuhr
Date: 10 December 2005, 00:22:33
Subject: Re: Bind Variables and Quoting / Dequoting Input

From: "Matt Arnilo S. Baluyos (Mailing Lists)"
Date: 10 December 2005, 01:10:26
Subject: Sorting empty rows at the bottom of a recordset

Re: Bind Variables and Quoting / Dequoting Input - Mailing list pgsql-novice

Previous

Next