Tony Caduto wrote:
Well for a simple (for brevity) example, when you compile a query (not via prepared stmts/argument based compilation) that takes user input, how do you handle both backslashes and single-quotes? In practice the way of doing this is quite different between pg and a iso-compliant db, otherwise you have either code injection, or superfluous backslashes..Ken Johanson wrote:Most of the corp folks I know who have tried using PG to augment or replacement a commercial offering just tend to silently pause and wait for this change.. that why this topic isn't really heard very often. It's like going to a car lot to buy a SUV, but they don't have any within sight.. the perspective buyer just moves on without saying anything.I have converted databases from other DBs such as MS SQL server and never had a problem with string escaping, can you please post a example of what you mean? Do you mean inside of functions?
"SELECT firstName FROM tbl WHERE lastName = '"+toSql(userInput)+"' "
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature