Quick Links

Re: escaping and sql injection

From:	Neil Conway <neilc(at)samurai(dot)com>
To:	Martijn van Oosterhout <kleptog(at)svana(dot)org>
Cc:	Dennis Gearon <gearond(at)cvc(dot)net>, PostgreSQL General <pgsql-general(at)postgresql(dot)org>
Subject:	Re: escaping and sql injection
Date:	2003-02-22 02:13:52
Message-ID:	1045880032.366.10.camel@tokyo
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-general

On Fri, 2003-02-21 at 19:07, Martijn van Oosterhout wrote:
> You can solve the SQL injection problem by escaping all single quotes (')
> and blackslashes (\) with a backslash.

Rather than doing this by hand, I think it's probably wiser to let your
language interface do it for you. For example, libpq provides a
PQescapeString() function for escaping strings.

That particular function doesn't handle semi-colons, however.

Cheers,

Neil
--
Neil Conway <neilc(at)samurai(dot)com> || PGP Key ID: DB3C29FC

In response to

Re: escaping and sql injection at 2003-02-22 00:07:16 from Martijn van Oosterhout

Browse pgsql-general by date

	From	Date	Subject
Next Message	Tom Lane	2003-02-22 02:33:21	Re: A problem with sequences...
Previous Message	Peter Eisentraut	2003-02-22 02:10:47	Re: system catalog