Re: [GENERAL] a stored procedure ..with integer as the parameter

surabhi.ahuja wrote: My appliaction is in C++ and i am getting char* ..s which i need to insert into the table...and for insert i am calling a stored procedure. But i need to form the call to the stored procedure with the above char*s as the argument. Fine - just make sure you validate your d

Re: [GENERAL] a stored procedure ..with integer as the parameter

Title: Re: [GENERAL] a stored procedure ..with integer as the parameter My appliaction is in C++   and i am getting char* ..s which i need to insert into the table...and for insert i am calling a stored procedure.   But i need to form the call to the stored procedure with the above char*s

Re: [GENERAL] a stored procedure ..with integer as the parameter

surabhi.ahuja wrote: what do u suggest i do then in that case? i mean how should i make a query - i mean how do i make a command? You should always provide well-defined escaping to all data coming from a non-trusted source (i.e. outside your application) and preferably to all data in any cas

Re: [GENERAL] a stored procedure ..with integer as the parameter

Am Mittwoch, den 26.10.2005, 09:37 +0530 schrieb surabhi.ahuja: > what do u suggest i do then in that case? > i mean how should i make a query - i mean how do i make a command? > Need more details. What language are you using, what is the exact problem and so on. ---(end

Re: [GENERAL] a stored procedure ..with integer as the parameter

Title: Re: [GENERAL] a stored procedure ..with integer as the parameter what do u suggest i do then in that case? i mean how should i make a query - i mean how do i make a command?  From: Tino Wildenhain [mailto:[EMAIL PROTECTED]Sent: Tue 10/25/2005 11:22 AMTo: surabhi.ahujaCc: Richard

Re: [GENERAL] a stored procedure ..with integer as the parameter

In article <[EMAIL PROTECTED]>, Alex Turner <[EMAIL PROTECTED]> writes: > delete * from user; > select * from table where my_id=$in_value > Am > I just smoking crack here, or does this approach have some merit? > The former :-) The correct defense against SQL injection is prope

Re: [GENERAL] a stored procedure ..with integer as the parameter

Am Dienstag, den 25.10.2005, 10:24 +0530 schrieb surabhi.ahuja: > oops i am sorry, > i mean from the client i ll be getting values (which i need to insert > into the table) in the form of strings: > > and i form the insert command as follows: > > function(char *a, char *b, char *c) > { > char

Re: [GENERAL] a stored procedure ..with integer as the parameter

Title: Re: [GENERAL] a stored procedure ..with integer as the parameter  oops i am sorry, i mean from the client i ll be getting values (which i need to insert into the table) in the form of strings:   and i form the insert command as follows:   function(char *a, char *b, char *c) { char

Re: [GENERAL] a stored procedure ..with integer as the parameter

On 24 Oct 2005 22:00:55 +0200, Harald Fuchs <[EMAIL PROTECTED]> wrote: In article <[EMAIL PROTECTED]>,Alex Turner <[EMAIL PROTECTED] > writes:> 1.  ( ) text/plain  (*) text/html> As sort of a side discussion - I have postulated that quoting all incomming> numbers as string would be an effec

Re: [GENERAL] a stored procedure ..with integer as the parameter

"[EMAIL PROTECTED]" <[EMAIL PROTECTED]> >cc: "surabhi.ahuja" <[EMAIL PROTECTED]>, pgsql-general@postgresql.org Subject: Re: [GENERAL] a stored procedure ..

Re: [GENERAL] a stored procedure ..with integer as the parameter

In article <[EMAIL PROTECTED]>, Alex Turner <[EMAIL PROTECTED]> writes: > 1. ( ) text/plain (*) text/html > As sort of a side discussion - I have postulated that quoting all incomming > numbers as string would be an effective defense against SQL Injection style > attacks, as m

Re: [GENERAL] a stored procedure ..with integer as the parameter

As sort of a side discussion - I have postulated that quoting all incomming numbers as string would be an effective defense against SQL Injection style attacks, as magic quotes would destory any end-quote type syntax: in_value=1 select * from table where my_id='$in_value'; as an example for PHP

Re: [GENERAL] a stored procedure ..with integer as the parameter

oesn't match the pattern for an integer. > From: Stephan Szabo [mailto:[EMAIL PROTECTED] > Sent: Fri 10/21/2005 12:11 PM > To: surabhi.ahuja > Cc: pgsql-general@postgresql.org > Subject: Re: [GENERAL] a stored procedure ..with integer as the parameter > > On Fri, 21 Oct

Re: [GENERAL] a stored procedure ..with integer as the parameter

surabhi.ahuja wrote: from the client I get : "200", "surabhi", "10" now i have to make a call to the stored procedure using the above received strings. will not the "200" be converted to a valid integer before saving into the database ..and same with the smallint values. That wasn't the error

Re: [GENERAL] a stored procedure ..with integer as the parameter

Title: Re: [GENERAL] a stored procedure ..with integer as the parameter from the client i receive a vector of strings ...which i have to pass as arguments to the stored procedure.   That stored procedure has valid arguments data types   for instance i have a stored procedure as follows

Re: [GENERAL] a stored procedure ..with integer as the parameter

First, you should not quote an integer value going into an integer column - bad habit to get into. Second, empty string is not an integer. Susan

Re: [GENERAL] a stored procedure ..with integer as the parameter

On Fri, 21 Oct 2005, surabhi.ahuja wrote: > i have a stored procedure > > insert_table(integer) > which does "insert into table (x) value ($1)"; > > now in my client i call the stored procedure as > > select insert_table("3"); > > it works fine and inserts 3 into the table > > but suppose i give