"Merlin Moncure" <mmoncure@xxxxxxxxx> writes: > On 9 May 2006 17:04:31 -0700, Karen Hill <karen_hill22@xxxxxxxxx> wrote: >> Is my understanding correct that the following is vulnerable to SQL >> injection in psql: > ... > no, IMO this is the safest and best option. Neither of the options that Karen shows are dangerous. What would be dangerous is building a SQL command string and feeding it to EXECUTE *without* using quote_literal. I agree with Merlin that you shouldn't use EXECUTE unless you have to --- it's both much slower than a precompiled statement, and much more vulnerable to security mistakes. regards, tom lane
