31 Jul
2013
31 Jul
'13
7:47 a.m.
On Wed, Jul 31, 2013 at 05:28:02PM +0600, Alexey Uimanov wrote:
The rationale is that the low-level database interface accepts parameters directly instead of inserting them inside the query manually. [...] Low-level database interface knows better how to work with parameters, so the driver must pass them to it instead of parameters substitution.
Letting the low-level database interface (I'm guessing you're talking about a C library provided by the database vendor) do the escaping certainly makes a lot of sense. However, it would still be possible to make sure that the *number* of parameters supplied matches the number of placeholders in the query string. That would make sense, don't you think? Tom