Tony Caduto wrote:
> Ken Johanson wrote:
>> Most of the corp folks I know who have tried using PG to augment or
>> replacement a commercial offering just tend to silently pause and
>> wait for this change.. that why this topic isn't really heard very
>> often. It's like going to a car lot to buy a SUV, but they don't have
>> any within sight.. the perspective buyer just moves on without saying
>> anything.
>
>
> I have converted databases from other DBs such as MS SQL server and
> never had a problem with string escaping, can you please post a
> example of what you mean? Do you mean inside of functions?
>
Well for a simple (for brevity) example, when you compile a query (not
via prepared stmts/argument based compilation) that takes user input,
how do you handle both backslashes and single-quotes? In practice the
way of doing this is quite different between pg and a iso-compliant db,
otherwise you have either code injection, or superfluous backslashes..
"SELECT firstName FROM tbl WHERE lastName = '"+toSql(userInput)+"' "