The PostgreSQL-8.1.4 release documentation says we should be using PostgreSQL-supplied string escaping routines, not "homebrew" methods. No argument from me on this. But in the "User Guide to the 8.1.4 Security Update", it says: | An example of an application at risk is a PHP program that uses | addslashes() or magic_quotes. We note that these tools have been deprecated | by the PHP group since version 4.0. Can anyone provide a source for the statement? It's odd, since PHP-4.0 was released on 2000-05-22, shortly after PostgreSQL-7.0, and the PQescapeString() function wasn't even added to libpq until PostgreSQL-7.2 almost 2 years later. The current PHP reference manual doesn't discourage use of addslashes() for database input. I agree with you - this is wrong - but where did the "We note... deprecated by the PHP group since version 4.0" line come from?
