Skip site navigation (1) Skip section navigation (2)

Re: Use of pg_escape_string()

From: Eric Chamberlain <Eric(dot)Chamberlain(at)zonarsystems(dot)com>
To: "rod(at)iol(dot)ie" <rod(at)iol(dot)ie>
Cc: Sylvain Racine <syracine(at)sympatico(dot)ca>, "pgsql-php(at)postgresql(dot)org"<pgsql-php(at)postgresql(dot)org>
Subject: Re: Use of pg_escape_string()
Date: 2009-11-23 17:31:24
Message-ID: 802753EA-EF20-481E-9314-139E761824E3@zonarsystems.com (view raw or flat)
Thread:
Lists: pgsql-php
Adding an extra apostrophe is one of the ways you can escape another apostrophe with Postgre.  I believe Postgre can use an extra apostrophe or a backslash... and the API call you're using just happens to elect using the extra apostrophe over the backslash.  If you look at the data inserted into the database is there only one apostrophe in your data?  If so, that's what it is.  If there's two it could be as the previous poster said and magic quotes is enabled.

Eric Chamberlain

On Nov 22, 2009, at 11:44 AM, Raymond O'Donnell wrote:

> On 22/11/2009 19:22, Sylvain Racine wrote:
>> Hello,
>>
>> I use to hear about to escape every variables who come from user in PHP.
>> Most programmers around me use MySQL with mysql_escape_string(). Because
>> I program with PostgreSQL, I take advantage to use pg_escape_string().
>> Everything goes well, up I entered data with apostrophe(').
>> pg_escape_string() escapes my apostrophe with another apostrophe ('').
>> My data are well store in database. No error... except that appears a
>> double apostrophe. This is not what I want.
>>
>> Maybe something is wrong in my program. Here is a sample of what I use
>> to store data in table "personnes" which have two columns: firstname,
>> lastname. I remove database connection and construction of objects
>> Minute and Personnes.
>
> Where is the INSERTed data coming from? - Is it coming from data
> submitted by GET or POST? - if so, is magic_quotes_gpc turned on? If it
> is, this could explain what you're seeing.
>
> BTW, it's much better to use parametrised queries - look up
> pg_query_params in the PHP docs. This looks after all quoting for you
> automatically, and prevents SQL injection attacks.
>
> Ray.
>
>
> --
> Raymond O'Donnell :: Galway :: Ireland
> rod(at)iol(dot)ie
>
> --
> Sent via pgsql-php mailing list (pgsql-php(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-php


Confidentiality Notice: This e-mail may contain proprietary information some of which may be legally privileged. It is for the intended recipient(s) only. If you believe that it has been sent to you in error, please notify the sender by reply e-mail and delete the message. Any disclosure, copying, distribution or use of this information by someone other than the intended recipient(s) is prohibited and may be unlawful.

In response to

pgsql-php by date

Next:From: Jorge Miranda CastaƱedaDate: 2009-12-03 07:00:16
Subject: Problem with utf8 encoding
Previous:From: Raymond O'DonnellDate: 2009-11-22 19:44:48
Subject: Re: Use of pg_escape_string()

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group