On Wed, Aug 9, 2017 at 4:03 PM, David G. Johnston < david.g.johns...@gmail.com> wrote:
> On Wed, Aug 9, 2017 at 3:21 PM, Jym Morton <j...@outlook.com> wrote: > >> When I write software, and use a database I don’t need to escape literals >> if I have a Prepared Statement. This is a major reason some of us use >> Prepared Statements. So, when I looked at this page, I was unclear about >> was whether it or not I had to do it. >> > > (pseudo-code) > PREPARE 'SELECT $1'; > EXECTUE ('; TRUNCATE pg_catalog'); > > To be clear - you only need to escape the single quote once - to write the original literal. EXECUTE ('bob''s niece') -- bob's niece, with no risk of SQL injection David J.