Dmitry Tkach <[EMAIL PROTECTED]> writes:Nope... it isn't.
Does it mean that the *application* (not the database) user would then have to know the exact specific way to represent the current time in his data entry form?
Such an application looks like (how do I say it politely?) not a very user-friendly one to me :-)
So? "now()" is certainly not more user-friendly than "now".
My point was that, if the app wanted to be user friendly, it would not attempt to take the input directly from user and stuff it into the sql - it would probably have some checkbox or drop-down list in the GUI form, that would indicate that the user wants the current time stamp, and use the the proper internal represntation in the generated sql...
In that case having to execute a function (now()) would not make it vulnerable to a sql injection...
Yeah... I've actually found one after I sent that last message :-) - it does seem to come handy in COPY TABLE - although, in that case, I'd say it would be much more useful to make COPY TABLE understand the defined defaults on the table, just the way INSERT does ...My point is that wherever you are making the decision that you want to input current time, there may be layers between you and the database that will only want to pass data-value strings and not function invocations.
Dima
---------------------------(end of broadcast)--------------------------- TIP 2: you can get off all lists at once with the unregister command (send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])
