And in regards to protecting from sql injections, using ns_dbquote and
the binding emulation both seem like they'd do the trick. If your bind
variable or quoted variable contains something like NULL or a bit of SQL
or a special column like the postgres equivalent of "sysdate" which is
slipping my mind at the moment, then you won't get what you "expected"
probably, you'll get the literal value. That's kind of the price you
have to pay if you want to put values that come straight from a user
into the database safely though.
Tom Jackson wrote:
On Sat, Dec 5, 2009 at 6:01 PM, Don Baccus <[email protected]> wrote:
On Dec 5, 2009, at 5:13 PM, Tom Jackson wrote:
Tcl can write a query string which uses the keyword NULL.
Unfortunately the simple (but very nice and also safe) bind variable
concept doesn't handle this common requirement.
You've got it backwards, it's the empty string, not NULL, which a bind
variable in Oracle (or in our emulation for postgres), doesn't handle - it
becomes NULL (this is true of the empty string in Oracle in general).
The "requirement" is the ability to handle both the empty string and NULL.
Personally I like the Oracle behavior.
tom jackson
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
<[email protected]> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject:
field of your email blank.
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
<[email protected]> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject:
field of your email blank.
