Re: Bind Variables and Quoting / Dequoting Input
| От | Michael Fuhr |
|---|---|
| Тема | Re: Bind Variables and Quoting / Dequoting Input |
| Дата | |
| Msg-id | 20051210015827.GA17631@winnie.fuhr.org обсуждение |
| Ответ на | Re: Bind Variables and Quoting / Dequoting Input (Michael Fuhr <mike@fuhr.org>) |
| Ответы |
Re: Bind Variables and Quoting / Dequoting Input
|
| Список | pgsql-novice |
On Fri, Dec 09, 2005 at 06:22:29PM -0700, Michael Fuhr wrote: > On Fri, Dec 09, 2005 at 01:54:13PM -0800, operationsengineer1@yahoo.com wrote: > > do i need to quote input even though i'm using bind > > variables in my queries? > > > > i seem to think that quoting on entry and unquoting on > > return was a method for fighting sql injection, but > > i'm also thinking that bind variables may make that > > step meaningless. > > Using placeholders should eliminate the need to quote, either by > quoting for you or by using the underlying protocol's mechanism for > parameterized queries. I might have misunderstood what you meant by "bind variables." Could you explain exactly what you're doing? -- Michael Fuhr
В списке pgsql-novice по дате отправления: