DEV Community

Discussion on: How to write super-uber-mega secure, sql-injection bullet-proof PostgreSQL queries

Collapse
anderssv profile image
Anders S

Why wouldn't you just use binding in your SQL interface? All major languages support this in some form or another, and it makes sure things are escaped.

stackoverflow.com/questions/902408...

Collapse
vbilopav profile image
vbilopav Author

I do use a binding interface to call a PostgreSQL function "select from select_value(%s);" that encapsulates a query.

This is just a strict security measure as well as encapsulation.