Re: libpq, PQExecParams and the inserting of binary data

Hi,

On 6/3/05, David Hinkle <drachs@gmail.com> wrote:
> As you can see, I assumed I could use PQexapeBytea to escape the
> binary data and then just use the returned value as a text parameter.

You don't need to (also you shouldn't) escape any data while using
parameters. Because, you'll miss one big advantage of parameter usage.
From PQexecParams() documentation:

«The primary advantage of PQexecParams over PQexec is that parameter
values may be separated from the command string, thus avoiding the
need for tedious and error-prone quoting and escaping. Unlike PQexec,
PQexecParams allows at most one SQL command in the given string.
(There can be semicolons in it, but not more than one nonempty
command.) This is a limitation of the underlying protocol, but has
some usefulness as an extra defense against SQL-injection attacks.»

Regards.