On Wed, Aug 9, 2017 at 4:03 PM, David G. Johnston <
david.g.johns...@gmail.com> wrote:
> On Wed, Aug 9, 2017 at 3:21 PM, Jym Morton <j...@outlook.com> wrote:
>
>> When I write software, and use a database I don’t need to escape literals
>> if I have a Prepared Statement. This is a major reason some of us use
>> Prepared Statements. So, when I looked at this page, I was unclear about
>> was whether it or not I had to do it.
>>
>
> (pseudo-code)
> PREPARE 'SELECT $1';
> EXECTUE ('; TRUNCATE pg_catalog');
>
>
To be clear - you only need to escape the single quote once - to write the
original literal.
EXECUTE ('bob''s niece') -- bob's niece, with no risk of SQL injection
David J.
