On Nov 14, 2007 4:51 PM, A.M. <agentm@xxxxxxxxxxxxxxxxxxxxx> wrote: > > > On Nov 14, 2007, at 4:23 PM, Scott Marlowe wrote: > > > On Nov 14, 2007 2:40 PM, madhtr <madhtr@xxxxxxxxx> wrote: > >> Quick question, are there any native functions in PostGreSQL 8.1.4 > >> that will > >> strip HTML tags, escape chars, etc? > > > > I can't think of a lot of native functions, but it's sure easy enough > > to roll your own with things like the regex functionality built in. > > Please don't do that- there are corner cases where a naive regex can > fail, leaving the programmer thinking he is covered when he is not. > The variety of web languages include filtering modules > (HTML::Scrubber)- in the case of Perl or PHP, it can even be run > server-side. And given that pl/PHP can run that inside the database, there's a reason you can't do it there? > Furthermore, one shouldn't use an API which allows for SQL injections. Oh heck, I hadn't even noticed he was asking about escaping things. I guess it really matters what he means by escaping them. If he's talking url encoding decoding, that's something you could do safely in the db (again, with something like pl/PHP or pl/perl) but SQL escaping should be done before the db ever sees the data. ---------------------------(end of broadcast)--------------------------- TIP 6: explain analyze is your friend
