On Wed, 2006-07-05 at 06:55 -0400, Agent M wrote:
> Like you said, it would make sense to have binds anywhere where there
> are quoted strings- if only for anti-injection. There could be a "flat"
> plan which simply did the string substitution with the proper escaping
> at execute time.
I don't see the point of implementing this in the backend. Perhaps what
you're really asking for is basically PQescapeIdentifier()?
> Escaping vulnerabilities would then be taken care of by server updates.
Escaping vulnerabilities are hardly the common case; in any case,
implementing this in libpq would allow a similar upgrade path.
-Neil