On Fri, May 27, 2005 at 10:57:16 -0500, Ed Finkler <coj@xxxxxxxxxxxxxxxxx> wrote: > Folks, > > The php mysql api has a function "mysql_real_escape_string" that seems > to be able to thwart known SQL injection attacks -- at least the ones of > which I and other people I've discussed this with know. I am curious to > know if pg_escape_string is as effective. If not, what would need to be > modified to make it more effective? > > (there is a possibility that I may be able to get a grad student to work > on this at the center, so detailed responses would be appreciated.) The best advice is to use bind parameters rather than trying to build SQL strings consisting partly of user input.
