On Wed, Aug 9, 2017 at 4:03 PM, David G. Johnston <
david.g.johns...@gmail.com> wrote:

> On Wed, Aug 9, 2017 at 3:21 PM, Jym Morton <j...@outlook.com> wrote:
>> When I write software, and use a database I don’t need to escape literals
>> if I have a Prepared Statement.  This is a major reason some of us use
>> Prepared Statements.   So, when I looked at this page, I was unclear about
>> was whether it or not I had to do it.
> (​pseudo-code)​
> EXECTUE ('; TRUNCATE pg_catalog');
​To be clear - you only need to escape the single quote once - to write the
original literal.

EXECUTE ('bob''s niece')​ -- bob's niece, with no risk of SQL injection

David J.

Reply via email to