Bill Gribble <grib@linuxdevel.com> writes:
> So the only escaping I do in my app currently is to replace ' with '' in
> user-input strings. If I assume that the goal is to prevent any
> user-input strings from being evaluated as SQL statements (only to allow
> user input as constant values), what other escaping do I need to do?
In PG you also need to double backslashes. That's it --- there are no
other special characters in string literals.
regards, tom lane