On Sun, Mar 22, 2009 at 11:36 AM, RebeccaJ <rebeccaj@xxxxxxxxx> wrote: >> > Are there characters, maybe non-printing characters, or perhaps >> > even whole phrases, that could cause problems in my database or >> > application if I were to allow users to enter them into that column? >> >> > If so, does anyone happen to have a regular expression handy that you >> > think is a good choice for text columns' CHECK constraint? Or maybe a >> > link to a discussion of this topic? >> >> Nope, there's nothing you can put into a text to break pgsql. >> However, if you are using regular old queries, you'd be advised to use >> pg_escape_string() function in php to prevent SQL injection attacks. > > Thanks! I'll check out pg_escape_string() in php, and I see that > PostgreSQL also has something called PQescapeStringConn... I wonder if > I should use both... Isn't PGescapeStringConn a libpq function? I'm pretty sure that php's pg_escape_string is just calling that for you, so no need to use both. > Also, I should have asked: what about char and varchar fields? Can > those also handle any characters, as long as I consider SQL injection > attacks? ayup. As long as they're legal for your encoding, they'll go right in. If you wanna stuff in anything no matter the encoding, use a database initialized for SQL_ASCII encoding. -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
