Oliver Jowett <oliver@opencloud.com> writes:
> ... won't this break code that does something like this? :
> stmt = conn.prepareStatement("SELECT * FROM table WHERE string_key IN ?");
> stmt.setObject(1, "('a', 'b', 'c')", Types.NUMERIC);
Code that does that is just going to have to break. We should try to
provide equivalent functionality in a less unsafe fashion; but
backwards compatibility with code that is exploiting a security hole
is not an option.
regards, tom lane