Home > mailing lists

Re: a stored procedure ..with integer as the parameter - Mailing list pgsql-general

From	Richard Huxton
Subject	Re: a stored procedure ..with integer as the parameter
Date	October 26, 2005 07:15:28
Msg-id	435F2BE2.7060308@archonet.com Whole thread Raw
In response to	Re: a stored procedure ..with integer as the parameter ("surabhi.ahuja" <surabhi.ahuja@iiitb.ac.in>)
List	pgsql-general

Tree view

surabhi.ahuja wrote:
> what do u suggest i do then in that case?
> i mean how should i make a query - i mean how do i make a command?

You should always provide well-defined escaping to all data coming from
a non-trusted source (i.e. outside your application) and preferably to
all data in any case.

If you are using "C" then libpq offers functions to escape strings.
Almost all other languages offer something similar.

In general, I never use "raw" functions to build my queries, I have
wrapper functions that ensure all queries are well-formed.

What language are you using, and what framework?

--
   Richard Huxton
   Archonet Ltd

pgsql-general by date:

From: Tino Wildenhain
Date: 26 October 2005, 07:15:25
Subject: Re: a stored procedure ..with integer as the parameter

From: Tino Wildenhain
Date: 26 October 2005, 07:20:03
Subject: Re: Dump only functions...

Re: a stored procedure ..with integer as the parameter - Mailing list pgsql-general

Previous

Next