On Fri, 2006-05-26 at 08:58, Erik Jones wrote: > ljb wrote: > > tgl@xxxxxxxxxxxxx wrote: > > > >> ljb <ljb220@xxxxxxxxxxxxxx> writes: > >> > >>> | addslashes() or magic_quotes. We note that these tools have been deprecated > >>> | by the PHP group since version 4.0. > >>> > >>> Can anyone provide a source for the statement? > >>> > >> I'm not going to put words in Josh's mouth about where he got that from, > >> but anyone who reads all of the comments at > >> http://us3.php.net/manual/en/function.addslashes.php > >> ought to come away suitably unimpressed with the security of that > >> function. > >> > > > > Yes, sorry, I did see those comments, although I don't think they are from > > the PHP group themselves. But I missed the statement on the pg_escape_string > > manual page saying "use of this function is recommended instead of > > addslashes()". I still think "since version 4.0" is wrong. > > > Better yet, use PEAR::DB or some other db abstraction package that will > handle all of this for you. Or, if you're going to use the native pgsql interface, you can always use prepared queries. http://www.php.net/manual/en/function.pg-prepare.php Actually, other than still not having error numbers (just the error messages, seems like "priority inversion" to me, btw) the pgsql interface in php is quite robust. You can even run async queries with it.
