RebeccaJ wrote:
Thanks, everyone, for your contribution to this thread. I'm approaching the database design of my web application differently, now. Before, I was planning to have CHECK constraints in all of my text or char fields, to keep out all semicolons, single quotes, and anything else that looked dangerous. Now I'm thinking that I'll be using htmlentities(), pg_escape_string() and pg_query_params() as safety filters, and otherwise allowing users to store whatever they want to, in the fields where I store/retrieve user input.
Note that htmlentities() expects LATIN1-encoded strings and is thus unusable on UTF-8 contents. So if you end up talking UTF-8 with the database, you'll probably need to use htmlspecialchars() instead, and UTF-8 as your HTML charset.
Best regards, -- Daniel PostgreSQL-powered mail user agent and storage: http://www.manitou-mail.org -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
