Neil Conway <neilc@samurai.com> writes:
> On Mon, 2006-07-03 at 23:28 -0400, Agent M wrote:
>
> > Why can't preparation be used as a global anti-injection facility?
>
> All that work would need to be deferred to EXECUTE-time, which would largely
> defeat the purpose of server-side prepared statements, no?
It would also defeat the anti-injection purpose. If you can use parameters to
change the semantics of the query then you're not really protected any more.
The whole security advantage of using parameters comes from knowing exactly
what a query will do with the data you provide.
--
greg