On 17/04/2008, at 9:10 AM, Don Baccus wrote:
ns_db select $db "select * from people where country = $1 and age >
$2" [list "au" 25]
Geez, names are more readable than numbers in any sizable query.
The numbers/names isn't that important to me. What is important is
that I would like to see variables explicitly attached to the query
rather than simply saying: "use this existing Tcl variable."
nspostgres supports the optional passing of an ns_set to define the
bind vars
How does this work, do you have an example?
And before answering "well, they can always use the variable
directly" remember that both emulated and real bind vars give
protect against sql smuggling.
I would never say that; not having to worry about quoting is one of
the main advantages of using bind variables/parameters.
Bas.
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]>
with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject:
field of your email blank.
