[prev in list] [next in list] [prev in thread] [next in thread] 

List:       postgresql-sql
Subject:    Re: [SQL] question
From:       Vivek Khera <vivek () khera ! org>
Date:       2005-08-30 14:59:01
Message-ID: 9158F005-5B73-405A-8CD6-97D6B4621F62 () khera ! org
[Download RAW message or body]


On Aug 24, 2005, at 1:05 AM, Matt A. wrote:

> We used nullif('$value','') on inserts in mssql.  We
> moved to postgres and love it but the nullif() doesn't
> match empty strings to each other to return null other
> than a text type, causing an error. This is a major
> part of our application.

I *certainly* hope you're not passing $value in straight from your  
web form directly into the SQL.  You're opening yourself up for SQL  
injection attacks.

Why not just have your app that reads the form generate the proper  
value to insert? That is the safe route.

Vivek Khera, Ph.D.
+1-301-869-4449 x806



---------------------------(end of broadcast)---------------------------
TIP 1: if posting/reading through Usenet, please send an appropriate
       subscribe-nomail command to majordomo@postgresql.org so that your
       message can get through to the mailing list cleanly
[prev in list] [next in list] [prev in thread] [next in thread]