On May 4, 11:22 am, [email protected] (Martin Evans) wrote: > > I'd really avoid concatenating user supplied strings into your SQL. Use > parameters instead: > > select * from my_table where last_name like ? > > then use bind_param or exeute(my_parameter_list).
That sounds reasonable. I inherited this code, written about 10 years ago - it doesn't surprise me that a freshening is needed. > You don't say what database this is. It is not always UPPER especially > when the strings might be unicode (Oracle uses nls_upper). Other than > that upper(column) = upper(?) is ok. This is ORACLE, and so perhaps it would be better to use nls_upper instead of upper. Thank you to those who took the time to respond to my question. I really appreciate it.
