"Merlin Moncure" <[EMAIL PROTECTED]> writes:
> On 9 May 2006 17:04:31 -0700, Karen Hill <[EMAIL PROTECTED]> wrote:
>> Is my understanding correct that the following is vulnerable to SQL
>> injection in psql:
> ...
> no, IMO this is the safest and best option.
Neither of the options that Karen shows are dangerous. What would be
dangerous is building a SQL command string and feeding it to EXECUTE
*without* using quote_literal.
I agree with Merlin that you shouldn't use EXECUTE unless you have to
--- it's both much slower than a precompiled statement, and much more
vulnerable to security mistakes.
regards, tom lane
---------------------------(end of broadcast)---------------------------
TIP 1: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to [EMAIL PROTECTED] so that your
message can get through to the mailing list cleanly
