Re: Effectiveness of pg_escape_string at blocking SQL injection attacks

From: Ed Finkler <coj(at)cerias(dot)purdue(dot)edu>
To: Bruno Wolff III <bruno(at)wolff(dot)to>, pgsql-php(at)postgresql(dot)org
Subject: Re: Effectiveness of pg_escape_string at blocking SQL injection attacks
Date: 2005-05-27 16:06:27
Message-ID: 42974583.10207@cerias.purdue.edu
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-php

Bruno Wolff III wrote:

> The best advice is to use bind parameters rather than trying to build
> SQL strings consisting partly of user input.

That's good advice, but I suspect not everyone is going to know this,
and will have a tendency to use the escaping function to try and clean
intput. Do you have any suggestions about improving the security of the
pg_escape_string function?

--
Ed Finkler
Web and Security Archive Administrator
CERIAS - Purdue University
http://www.cerias.purdue.edu/
v: 765.496.6762 f: 764.496.3181

In response to

Browse pgsql-php by date

  From Date Subject
Next Message Volkan YAZICI 2005-05-27 16:25:52 Re: Effectiveness of pg_escape_string at blocking SQL injection attacks
Previous Message Bruno Wolff III 2005-05-27 15:59:22 Re: Effectiveness of pg_escape_string at blocking SQL injection attacks