On Mon, 2006-07-03 at 23:28 -0400, Agent M wrote:
Why are only select, insert, update, and delete supported for $X binds?
This is a property of the way prepared statements are implemented.
Prepared statement parameters can be used in the place of expressions in
optimizeable statements (the
Neil Conway [EMAIL PROTECTED] writes:
On Mon, 2006-07-03 at 23:28 -0400, Agent M wrote:
Why can't preparation be used as a global anti-injection facility?
All that work would need to be deferred to EXECUTE-time, which would largely
defeat the purpose of server-side prepared statements,
Greg Stark wrote:
Neil Conway [EMAIL PROTECTED] writes:
On Mon, 2006-07-03 at 23:28 -0400, Agent M wrote:
Why can't preparation be used as a global anti-injection facility?
All that work would need to be deferred to EXECUTE-time, which would largely
defeat the purpose of
On Wed, 2006-07-05 at 06:55 -0400, Agent M wrote:
Like you said, it would make sense to have binds anywhere where there
are quoted strings- if only for anti-injection. There could be a flat
plan which simply did the string substitution with the proper escaping
at execute time.
I don't see
Why are only select, insert, update, and delete supported for $X binds?
Why can't preparation be used as a global anti-injection facility?
Example using the backend protocol for binds:
PREPARE TRANSACTION $1;
bind $1 ['text']
--syntax error at $1
Why am I able to prepare statements with the