Skip site navigation (1) Skip section navigation (2)

Re: Use of pg_escape_string()

From: Raymond O'Donnell <rod(at)iol(dot)ie>
To: Sylvain Racine <syracine(at)sympatico(dot)ca>
Cc: pgsql-php(at)postgresql(dot)org
Subject: Re: Use of pg_escape_string()
Date: 2009-11-22 19:44:48
Message-ID: 4B0994B0.9040406@iol.ie (view raw or flat)
Thread:
Lists: pgsql-php
On 22/11/2009 19:22, Sylvain Racine wrote:
> Hello,
> 
> I use to hear about to escape every variables who come from user in PHP.
> Most programmers around me use MySQL with mysql_escape_string(). Because
> I program with PostgreSQL, I take advantage to use pg_escape_string().
> Everything goes well, up I entered data with apostrophe(').
> pg_escape_string() escapes my apostrophe with another apostrophe ('').
> My data are well store in database. No error... except that appears a
> double apostrophe. This is not what I want.
> 
> Maybe something is wrong in my program. Here is a sample of what I use
> to store data in table "personnes" which have two columns: firstname,
> lastname. I remove database connection and construction of objects
> Minute and Personnes.

Where is the INSERTed data coming from? - Is it coming from data
submitted by GET or POST? - if so, is magic_quotes_gpc turned on? If it
is, this could explain what you're seeing.

BTW, it's much better to use parametrised queries - look up
pg_query_params in the PHP docs. This looks after all quoting for you
automatically, and prevents SQL injection attacks.

Ray.


-- 
Raymond O'Donnell :: Galway :: Ireland
rod(at)iol(dot)ie

In response to

Responses

pgsql-php by date

Next:From: Eric ChamberlainDate: 2009-11-23 17:31:24
Subject: Re: Use of pg_escape_string()
Previous:From: Sylvain RacineDate: 2009-11-22 19:22:07
Subject: Use of pg_escape_string()

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group