On Mon, Mar 23, 2009 at 12:59 AM, Stephen Cook <sclists@xxxxxxxxx> wrote: > You should use pg_query_params() rather than build a SQL statement in your > code, to prevent SQL injection attacks. Also, if you are going to read this > data back out and show it on a web page you probably should make sure there > is no rogue HTML or JavaScript or anything in there with htmlentities() or > somesuch. Are you saying pg_quer_params is MORE effective than pg_escape_string at deflecting SQL injection attacks? -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
