On Thu, Apr 3, 2008 at 9:50 AM, William Temperley <willtemperley@xxxxxxxxx> wrote: > Hi All > > I hope this isn't a FAQ, but does anyone have any suggestions as to > how to make a query that selects using: > "where in(<comma delimited list>)" > secure from an sql injection point of view? I have an idea, but I can't comment if it is a good idea since I haven't tried it. Maybe you can create a temp table for each user, insert the values you want into the table, and lastly perform a join on your foo table with the user's temp table. This hopefully would leave anything open for injection. When you are done just drop the temp table. -- Regards, Richard Broersma Jr. -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
