Re: Bind Variables and Quoting / Dequoting Input

On Mon, Dec 12, 2005 at 09:08:32AM -0800, operationsengineer1@yahoo.com wrote:
> Mike, thanks.  i was getting quotes inside the
> database "cells", which is why i had to figure out
> what was going on.  the data is inserted correctly
> now, i just want to make sure the process is also a
> safe process.

Using placeholders is supposed to be safe -- that's part of the
rationale for using them -- but you'd have to examine the implementation
to be sure it doesn't have any vulnerabilities.

I see the following in the ADOdb documentation:

    Currently Oracle, Interbase and ODBC supports variable binding.
    Interbase/ODBC style ? binding is emulated in databases that
    do not support binding. Note that you do not have to quote
    strings if you use binding.

If this documentation is up to date then apparently the PostgreSQL
driver does emulation.  Recent versions of PostgreSQL (7.4 and
later) support separation of SQL and parameters at the protocol
layer but you'd have to dig into ADOdb to see if it uses that
capability.

--
Michael Fuhr