CLSQL does the escaping itself. The question is whether a library that does prepared statements is reasonably expected to be safer than one that does escaping.
I haven't audited CLSQL's escaping myself, however. And I concede that using prepared statements takes one possible vulnerability off the table, which is nice. I was just wondering whether 'eudox had any specific reason to think that CLSQL's escaping was flawed.
I haven't audited CLSQL's escaping myself, however. And I concede that using prepared statements takes one possible vulnerability off the table, which is nice. I was just wondering whether 'eudox had any specific reason to think that CLSQL's escaping was flawed.