DEV Community

Discussion on: How to write super-uber-mega secure, sql-injection bullet-proof PostgreSQL queries

anderssv profile image
Anders S

Why wouldn't you just use binding in your SQL interface? All major languages support this in some form or another, and it makes sure things are escaped.

vbilopav profile image
vbilopav Author

I do use a binding interface to call a PostgreSQL function "select from select_value(%s);" that encapsulates a query.

This is just a strict security measure as well as encapsulation.