Thread: to escape or not to

to escape or not to

From

"Jean-Yves F. Barbier"

Date:

22 June 2011, 13:49:23

Hi list,

As of '39.5: plpgsql-statements', it is said that using '$n' instead of a named
variable is prefered and less sensitive to a SQL injection.

Does it really mean if I use $n I don't have to 'quote_xxxxxx' any of these
variables?

JY
--
The 80's -- when you can't tell hairstyles from chemotherapy.

Re: to escape or not to

From

Merlin Moncure

Date:

22 June 2011, 14:04:15

On Wed, Jun 22, 2011 at 8:49 AM, Jean-Yves F. Barbier <12ukwn@gmail.com> wrote:
> Hi list,
>
> As of '39.5: plpgsql-statements', it is said that using '$n' instead of a named
> variable is prefered and less sensitive to a SQL injection.
>
> Does it really mean if I use $n I don't have to 'quote_xxxxxx' any of these
> variables?

that is correct. (by the way, we are talking about dynamic statements
with 'execute' here).

merlin

Re: to escape or not to

From

"Jean-Yves F. Barbier"

Date:

22 June 2011, 19:05:44

On Wed, 22 Jun 2011 09:04:02 -0500, Merlin Moncure <mmoncure@gmail.com> wrote:

...
> that is correct. (by the way, we are talking about dynamic statements
> with 'execute' here).

Thanks merlin
--