Hello. I have client software that I wrote which uses parameters in function calls to postgresql. I use quote_literal in postgresql functions. That means I get data that is quoted when it finally ends up in the tables which I don't want. I know that you shouldn't trust data sent from the client, which is why I use quote_literal on the server side, and I also know using parameters is the best way to write client software which access an RDBMS. I don't want to remove the quote_literal just in case someone writes a new client and forgets to use parameters thereby exposing an SQL injection risk. Nor do I want to just keep quote_literal and dump using parameters. What is the best and most theoretically sound way to deal with this? regards,
