Scott- In JavaScript http://www.java2s.com/Tutorial/JavaScript/0520__Regular-Expressions/StripHTM L.htm M-- ----- Original Message ----- From: "Scott Marlowe" <scott.marlowe@xxxxxxxxx> To: "A.M." <agentm@xxxxxxxxxxxxxxxxxxxxx> Cc: "pgsql-general" <pgsql-general@xxxxxxxxxxxxxx> Sent: Wednesday, November 14, 2007 6:16 PM Subject: Re: stripping HTML, SQL injections ... > On Nov 14, 2007 4:51 PM, A.M. <agentm@xxxxxxxxxxxxxxxxxxxxx> wrote: > > > > > > On Nov 14, 2007, at 4:23 PM, Scott Marlowe wrote: > > > > > On Nov 14, 2007 2:40 PM, madhtr <madhtr@xxxxxxxxx> wrote: > > >> Quick question, are there any native functions in PostGreSQL 8.1.4 > > >> that will > > >> strip HTML tags, escape chars, etc? > > > > > > I can't think of a lot of native functions, but it's sure easy enough > > > to roll your own with things like the regex functionality built in. > > > > Please don't do that- there are corner cases where a naive regex can > > fail, leaving the programmer thinking he is covered when he is not. > > The variety of web languages include filtering modules > > (HTML::Scrubber)- in the case of Perl or PHP, it can even be run > > server-side. > > And given that pl/PHP can run that inside the database, there's a > reason you can't do it there? > > > Furthermore, one shouldn't use an API which allows for SQL injections. > > Oh heck, I hadn't even noticed he was asking about escaping things. I > guess it really matters what he means by escaping them. If he's > talking url encoding decoding, that's something you could do safely in > the db (again, with something like pl/PHP or pl/perl) but SQL escaping > should be done before the db ever sees the data. > > ---------------------------(end of broadcast)--------------------------- > TIP 6: explain analyze is your friend > ---------------------------(end of broadcast)--------------------------- TIP 5: don't forget to increase your free space map settings
