Re: [UDD] Changing aux.py to fix quoting
On Sat, Feb 04, 2012 at 05:05:27PM +0800, Paul Wise wrote:
> On Sat, Feb 4, 2012 at 4:46 PM, Andreas Tille wrote:
>
> > since I switched to PostgreSQL 9.1 I realised that quoting "'"
> > characters does not work any mory by escaping it using "\" signs.
> > I wonder, how at all aux.py could work for others. Because I have
> > the feeling that I missed something I'm just asking for comments
> > for the following patch to not break any UDD application.
> >
> > So what do you think about this which is needed *at my machine running
> > testing*:
>
> Sounds like you want to be using prepared statements, otherwise you
> risk SQL injections.
The quotation is actually used to feed strings into prepared statements.
Thanks for the hint anyway
Andreas.
--
http://fam-tille.de
Reply to: