chickadee » postgresql » escape-string

escape-string CONNECTION STRINGprocedure

Escapes special characters in STRING which are otherwise interpreted by the SQL parser, obeying the CONNECTION's encoding and escaping settings, using the escaping syntax for string contexts. This does NOT add surrounding quotes to the string; that's up to you to add.

Example:

;; This prevents people from changing a query's parse tree.
;; For example, they could try to turn a query like
;; SELECT * FROM USERS WHERE id='x'
;;    into
;; SELECT * FROM USERS WHERE id='1' OR '1'='1'
;; by quoting the value for X, you get the intended parse tree:
;; SELECT * FROM USERS WHERE id='1''' OR ''1''=''1'
(escape-string conn "1' OR '1'='1") => "1'' OR ''1''=''1"

;; Depending on the value of standard_conforming_strings you might also get
(escape-string conn "1' OR '1'='1") => "1\\' OR \\'1\\'=\\'1"

;; Of course, when using these strings you still need to surround
;; the output of escape-string with single quotes