|< < 37 > >|

What about other languages?

Use Parameters (regardless of language)

Reasons

Better performance, (to be discussed later in the course).
Don't have to fiddle with escaping quote marks.
Security: Don't trust strings provided by a user (e.g. over the web).


    const char* query = "select * from student where name = '%s'";
    char buffer[1000];
    sprintf(buffer, query, "Robert'; drop table student cascade; --");
    printf("%s\n", buffer);
    PQexec(cnxn, buffer);

Output:
select * from student where name = 'Robert'; drop table student cascade; --'

|< < 37 > >|