|
|
|
|
|
|
by sa46
1388 days ago
|
|
|
Prepared statements (in Postgres) don't work for: - Dynamically generated queries, like a user specifying a query predicate via a UI. - Dynamically selecting an identifier, like `SELECT * FROM $1` or `SELECT $1, count(*) FROM foo GROUP BY $1`. You can use cleverness with types to parse user-provided data into a struct that emits sanitized SQL, but under the hood, there are only strings. |
|
|