> I hope this isn't a FAQ, but does anyone have any
> suggestions as to
> how to make a query that selects using:
> "where in(<comma delimited list>)"
> secure from an sql injection point of view?
>
> As the length of the comma delimited list is highly
> variable I don't
> think I can use a prepared query to increase
> security.
>
Prepared query, no.. but you can still use parameter
binding. Determine how many parameters you need, and
create a query like this:
where in ($1, $2, $3, $4, $5)
and then bind each of those parameters. This works
well enough for small numbesr of parameters. Somebody
else will have to answer if there's a better way for
larger quantities.