</varlistentry>
<varlistentry id="libpq-PQoidStatus">
<term><function>PQoidStatus</function><indexterm><primary>PQoidStatus</primary></indexterm></term>
<listitem>
<para>
This function is deprecated in favor of
<xref linkend="libpq-PQoidValue"/> and is not thread-safe.
It returns a string with the OID of the inserted row, while
<xref linkend="libpq-PQoidValue"/> returns the OID value.
<synopsis>
char *PQoidStatus(const PGresult *res);
</synopsis>
</para>
</listitem>
</varlistentry>
</variablelist>
</sect2>
<sect2 id="libpq-exec-escape-string">
<title>Escaping Strings for Inclusion in SQL Commands</title>
<indexterm zone="libpq-exec-escape-string">
<primary>escaping strings</primary>
<secondary>in libpq</secondary>
</indexterm>
<variablelist>
<varlistentry id="libpq-PQescapeLiteral">
<term><function>PQescapeLiteral</function><indexterm><primary>PQescapeLiteral</primary></indexterm></term>
<listitem>
<para>
<synopsis>
char *PQescapeLiteral(PGconn *conn, const char *str, size_t length);
</synopsis>
</para>
<para>
<xref linkend="libpq-PQescapeLiteral"/> escapes a string for
use within an SQL command. This is useful when inserting data
values as literal constants in SQL commands. Certain characters
(such as quotes and backslashes) must be escaped to prevent them
from being interpreted specially by the SQL parser.
<xref linkend="libpq-PQescapeLiteral"/> performs this operation.
</para>
<para>
<xref linkend="libpq-PQescapeLiteral"/> returns an escaped version of the
<parameter>str</parameter> parameter in memory allocated with
<function>malloc()</function>. This memory should be freed using
<function>PQfreemem()</function> when the result is no longer needed.
A terminating zero byte is not required, and should not be
counted in <parameter>length</parameter>. (If a terminating zero byte is found
before <parameter>length</parameter> bytes are processed,
<xref linkend="libpq-PQescapeLiteral"/> stops at the zero; the behavior is
thus rather like <function>strncpy</function>.) The
return string has all special characters replaced so that they can
be properly processed by the <productname>PostgreSQL</productname>
string literal parser. A terminating zero byte is also added. The
single quotes that must surround <productname>PostgreSQL</productname>
string literals are included in the result string.
</para>
<para>
On error, <xref linkend="libpq-PQescapeLiteral"/> returns <symbol>NULL</symbol> and a suitable
message is stored in the <parameter>conn</parameter> object.
</para>
<tip>
<para>
It is especially important to do proper escaping when handling
strings that were received from an untrustworthy source.
Otherwise there is a security risk: you are vulnerable to
<quote>SQL injection</quote> attacks wherein unwanted SQL commands are
fed to your database.
</para>
</tip>
<para>
Note that it is neither necessary nor correct to do escaping when a data
value is passed as a separate parameter in <xref linkend="libpq-PQexecParams"/> or
its sibling routines.
</para>
</listitem>
</varlistentry>
<varlistentry id="libpq-PQescapeIdentifier">
<term><function>PQescapeIdentifier</function><indexterm><primary>PQescapeIdentifier</primary></indexterm></term>
<listitem>
<para>
<synopsis>
char *PQescapeIdentifier(PGconn *conn, const char *str, size_t length);
</synopsis>
</para>
<para>
<xref linkend="libpq-PQescapeIdentifier"/> escapes a string for
use as an SQL identifier, such as a table, column, or function name.
This is useful when a user-supplied identifier might contain
special characters that would otherwise not be interpreted