On Dec 6, 2009, at 9:19 PM, Rusty Brooks wrote:
And in regards to protecting from sql injections, using ns_dbquote
and the binding emulation both seem like they'd do the trick.
If a user types in NULL and you call ns_dbquote, you'll get 'NULL'.
Just as with the binding emulation.
The only way to have the literal NULL act as the SQL NULL is by
essentially removing the string 'NULL' from the set of inputs that
will result in a string being put into the database.
If your bind variable or quoted variable contains something like
NULL or a bit of SQL or a special column like the postgres
equivalent of "sysdate" which is slipping my mind at the moment
current_timestamp, which is standard SQL.
, then you won't get what you "expected" probably, you'll get the
literal value. That's kind of the price you have to pay if you want
to put values that come straight from a user into the database
safely though.
Yes, indeed.
----
Don Baccus
http://donb.photo.net
http://birdnotes.net
http://openacs.org
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
<lists...@listserv.aol.com> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject:
field of your email blank.
