Eliminating the problem
Posted Jun 2, 2006 12:05 UTC (Fri) by smitty_one_each
In reply to: Eliminating the problem
Parent article: SQL injection vulnerabilities in PostgreSQL
>Frankly I'm confused as to why you WOULDN'T use prepared queries.
Oh, the motives might break down along the traditional compiled/dynamic lines.
I like to have a single function that can transform a the Request.Form into an arbitrary array of SQL statements, particularly for INSERT/UPDATE situations.
For generic text fields, I just replace ' with `, and I'm on my merry way. O`Neal never noticed, though I admit this could simply be "moving the problem".
to post comments)