On Wed, Aug 9, 2017 at 3:21 PM, Jym Morton <jym@outlook.com> wrote:
When I write software, and use a database I don’t need to escape literals if I have a Prepared Statement. This is a major reason some of us use Prepared Statements. So, when I looked at this page, I was unclear about was whether it or not I had to do it.
(pseudo-code)
PREPARE 'SELECT $1';
EXECTUE ('; TRUNCATE pg_catalog');
To be clear - you only need to escape the single quote once - to write the original literal.
EXECUTE ('bob''s niece') -- bob's niece, with no risk of SQL injection