On Thu, Apr 3, 2008 at 11:50 AM, William Temperley
<willtemperley@gmail.com> wrote:
> This works very well, however I'm currently directly concatenating a sql query:
>
> select st_collect(the_geom) from tiles where tilename in
> (<comma delimited list>))
>
> Which leaves my application vulnerable to sql injection.
>
> As the length of the comma delimited list is highly variable I don't
> think I can use a prepared query to increase security.
Use a prepared query and ANY, e.g.:
select st_collect(the_geom) from tiles
where tilename = any('{foo,bar,baz}');