Bruno Wolff III wrote:
The best advice is to use bind parameters rather than trying to build SQL strings consisting partly of user input.
That's good advice, but I suspect not everyone is going to know this, and will have a tendency to use the escaping function to try and clean intput. Do you have any suggestions about improving the security of the pg_escape_string function?
-- Ed Finkler Web and Security Archive Administrator CERIAS - Purdue University http://www.cerias.purdue.edu/ v: 765.496.6762 f: 764.496.3181