Home > mailing lists

Re: to escape or not to - Mailing list pgsql-novice

From	Merlin Moncure
Subject	Re: to escape or not to
Date	June 22, 2011 14:04:15
Msg-id	BANLkTikN0YLuJQ69vAUzOS5Jbe6dhEV09g@mail.gmail.com Whole thread Raw
In response to	to escape or not to ("Jean-Yves F. Barbier" <12ukwn@gmail.com>)
Responses	Re: to escape or not to ("Jean-Yves F. Barbier" <12ukwn@gmail.com>)
List	pgsql-novice

Tree view

On Wed, Jun 22, 2011 at 8:49 AM, Jean-Yves F. Barbier <12ukwn@gmail.com> wrote:
> Hi list,
>
> As of '39.5: plpgsql-statements', it is said that using '$n' instead of a named
> variable is prefered and less sensitive to a SQL injection.
>
> Does it really mean if I use $n I don't have to 'quote_xxxxxx' any of these
> variables?

that is correct. (by the way, we are talking about dynamic statements
with 'execute' here).

merlin

pgsql-novice by date:

From: "Jean-Yves F. Barbier"
Date: 22 June 2011, 13:54:07
Subject: change to session_user in a security definer function

From: "Jean-Yves F. Barbier"
Date: 22 June 2011, 19:05:44
Subject: Re: to escape or not to

Re: to escape or not to - Mailing list pgsql-novice

Previous

Next