Glen Ditchfield wrote:
> On Tuesday 24 January 2006 02:13, Nathaniel Smith wrote:
>> The new API is like:
>> execute(query("DELETE FROM my_table WHERE attr = ?") % blob(foo));
>
> Is there some code somewhere that escapes single-quotes? I've seen too many
> bugs in other systems where the code sets up a query like
> "SELECT stuff FROM my_table WHERE surname = '?' ")
> and then some other code substitutes in "O'Toole" instead of "O''Toole".This is not an issue here since query and parameter are passed seperated to the database. (And the parameter is not parsed). Christof
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Monotone-devel mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/monotone-devel
