You should use pg_query_params() rather than build a SQL statement in
your code, to prevent SQL injection attacks. Also, if you are going to
read this data back out and show it on a web page you probably should
make sure there is no rogue HTML or JavaScript or anything in there with
htmlentities() or somesuch.
RebeccaJ wrote:
Are there characters, maybe non-printing characters, or perhaps
even whole phrases, that could cause problems in my database or
application if I were to allow users to enter them into that column?
If so, does anyone happen to have a regular expression handy that you
think is a good choice for text columns' CHECK constraint? Or maybe a
link to a discussion of this topic?
Nope, there's nothing you can put into a text to break pgsql.
However, if you are using regular old queries, you'd be advised to use
pg_escape_string() function in php to prevent SQL injection attacks.
Thanks! I'll check out pg_escape_string() in php, and I see that
PostgreSQL also has something called PQescapeStringConn... I wonder if
I should use both...
Also, I should have asked: what about char and varchar fields? Can
those also handle any characters, as long as I consider SQL injection
attacks?
--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
