On Thu, Apr 3, 2008 at 11:50 AM, William Temperley
<willtemperley@xxxxxxxxx> wrote:
> This works very well, however I'm currently directly concatenating a sql query:
>
> select st_collect(the_geom) from tiles where tilename in
> (<comma delimited list>))
>
> Which leaves my application vulnerable to sql injection.
>
> As the length of the comma delimited list is highly variable I don't
> think I can use a prepared query to increase security.
Use a prepared query and ANY, e.g.:
select st_collect(the_geom) from tiles
where tilename = any('{foo,bar,baz}');
--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
