At 10:35 AM 2/18/2004 -0700, scott.marlowe wrote:
>It works, I just like writing things in the most self documenting manner
>possible, since one day somebody else may look at:
>
>select * from test where id='456'
>
>and go, "hey, that's just an int, no need for the quotes" and take them
>out not knowing what they do. cast(456 as int8) is pretty obvious, '456'
>is much more subtle.
Well whenever I see:
select * from test where id=$var
I think "possible SQL injection".
I'd rather see bind variables be used or something similar, and when you
use those, the quotes are automatic.
With your method if the table is altered to int4 or something else, it
won't use the index (unless a postgresql dev adds stuff).
'456'::int8 seems to work too. But I suppose that's a Postgresql-ism.
