Re: Effectiveness of pg_escape_string at blocking SQL injection attacks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Bruno Wolff III wrote:


The best advice is to use bind parameters rather than trying to build
SQL strings consisting partly of user input.
That's good advice, but I suspect not everyone is going to know this, and will have a tendency to use the escaping function to try and clean intput. Do you have any suggestions about improving the security of the pg_escape_string function? 

--
Ed Finkler
Web and Security Archive Administrator
CERIAS - Purdue University
http://www.cerias.purdue.edu/
v: 765.496.6762  f: 764.496.3181
[Index of Archives]     [Postgresql General]     [Postgresql Admin]     [PHP Users]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Databases]     [Yosemite Backpacking]     [Postgresql Jobs]

  Powered by Linux