On Mon, Mar 23, 2009 at 3:07 AM, Scott Marlowe <scott.marlowe@xxxxxxxxx> wrote: > Are you saying pg_quer_params is MORE effective than pg_escape_string > at deflecting SQL injection attacks? pg_query_params() will protect non-strings. For instance, read a number in from user input and do something of the form " and foo=$my_number". Even if you escape the string, an attacker doesn't need a ' to close a string, so he can manage injection. If it's " and foo=$1" using pg_query_params(), however, that's not possible. -- - David T. Wilson david.t.wilson@xxxxxxxxx -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
