Geoff Caplan <geoff@variosoft.com> writes:
> Obviously, proper validation is a given for all kinds of reasons. But
> the problem with validation/escaping as the primary defense against
> injection seems to be that simply escaping would not catch every type
> of insertion via strings.
I think you misunderstood. Escaping is perfectly safe (given a correct
escaping function) if it's used on *every* untrustworthy input string.
The argument for the "keep data separate from code" approach is
essentially just that it's easier to be sure you haven't forgotten
anyplace where you need to escape.
regards, tom lane
