"Merlin Moncure" <mmoncure@gmail.com> writes:
> On 9 May 2006 17:04:31 -0700, Karen Hill <karen_hill22@yahoo.com> wrote:
>> Is my understanding correct that the following is vulnerable to SQL
>> injection in psql:
> ...
> no, IMO this is the safest and best option.
Neither of the options that Karen shows are dangerous. What would be
dangerous is building a SQL command string and feeding it to EXECUTE
*without* using quote_literal.
I agree with Merlin that you shouldn't use EXECUTE unless you have to
--- it's both much slower than a precompiled statement, and much more
vulnerable to security mistakes.
regards, tom lane