Re: Sql injection attacks

Greg Stark <gsstark@mit.edu> writes:
> Incidentally, you should be able to prepare queries and execute them later
> like the DBI and PHP interfaces, but there's an odd comment in the docs:

>   Presently, prepared statements for use with PQexecPrepared must be set up by
>   executing an SQL PREPARE command, which is typically sent with PQexec
>   (though any of libpq's query-submission functions may be used). A
>   lower-level interface for preparing statements may be offered in a future
>   release.

> I don't think this is true any more. I think the low level protocol exists
> now. It's possible the libpq method doesn't exist yet though.
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

That's what the comment is trying to tell you: libpq does not currently
offer a way to use the V3-protocol Prepare message.

            regards, tom lane