> I hope this isn't a FAQ, but does anyone have any > suggestions as to > how to make a query that selects using: > "where in(<comma delimited list>)" > secure from an sql injection point of view? > > As the length of the comma delimited list is highly > variable I don't > think I can use a prepared query to increase > security. >
Prepared query, no.. but you can still use parameter binding. Determine how many parameters you need, and create a query like this: where in ($1, $2, $3, $4, $5) and then bind each of those parameters. This works well enough for small numbesr of parameters. Somebody else will have to answer if there's a better way for larger quantities. -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
