On Fri, Apr 20, 2012 at 2:03 AM, Yvon Thoraval <yvon.thoraval@xxxxxxxxx> wrote:
> function quoteAsAre($string){
> return preg_replace('/\\\"/', '"', preg_replace("/\\\'/", "'",
> $string));
> }
> function sql2str($string){
> return preg_replace('/\'\'/', "'", $string);
> }
> function str2sql($string){
> return preg_replace('/\'/', "''", $string);
> }
>
> OK, i'll carrefully inspect all of those.
No; ditch them. I mean no offense to you personally, but these
functions are not worth keeping. Every SQL API includes a function for
quoting something as a literal string. With PDO, it's this one:
http://www.php.net/manual/en/pdo.quote.php
I don't know where you would be using sql2str, but it's just as
dangerous as the others (not to mention inefficient, there's no need
to use regular expressions for simple string replacement). Replace all
your calls to any of these functions with standard quoting functions
and see if your problem disappears. If not, well, it's still not been
a fruitless exercise, because now you are relying for safety and
security on something that the database engine promises is correct :)
Chris Angelico
--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
