On Wed, 2006-07-05 at 06:55 -0400, Agent M wrote:
> Like you said, it would make sense to have binds anywhere where there
> are quoted strings- if only for anti-injection. There could be a "flat"
> plan which simply did the string substitution with the proper escaping
> at execute time.
I don't
Greg Stark wrote:
Neil Conway <[EMAIL PROTECTED]> writes:
On Mon, 2006-07-03 at 23:28 -0400, Agent M wrote:
Why can't preparation be used as a global anti-injection facility?
All that work would need to be deferred to EXECUTE-time, which would largely
defeat the purpose of se
Neil Conway <[EMAIL PROTECTED]> writes:
> On Mon, 2006-07-03 at 23:28 -0400, Agent M wrote:
>
> > Why can't preparation be used as a global anti-injection facility?
>
> All that work would need to be deferred to EXECUTE-time, which would largely
> defeat the purpose of server-side prepared stat
On Mon, 2006-07-03 at 23:28 -0400, Agent M wrote:
> Why are only select, insert, update, and delete supported for $X binds?
This is a property of the way prepared statements are implemented.
Prepared statement parameters can be used in the place of expressions in
optimizeable statements (the actua