User: Password:
Subscribe / Log in / New account

Eliminating the problem

Eliminating the problem

Posted Jun 2, 2006 19:02 UTC (Fri) by mrshiny (subscriber, #4266)
In reply to: Eliminating the problem by smitty_one_each
Parent article: SQL injection vulnerabilities in PostgreSQL

The only advantage, that I can think of, is that you can generate complete SQL statements ahead of time in one place, and later on execute them. However, if that is the pattern you wish to accomplish, it's trivial to wrap the generated string and the arguments to bind together in one object. Otherwise, I still don't see the problem... you can generate dynamic sql statements for prepared queries, and bind the parameters afterwards. Where I work we do this all the time; also another poster in this thread has even gone to the lengths of creating an SQL statement abstraction that generates the SQL and stores the parameters to bind in one step. It's easy and foolproof.

(Log in to post comments)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds