From: | Oliver Elphick <olly(at)lfix(dot)co(dot)uk> |
---|---|
To: | DarkSamurai <julio(at)invlaid(dot)linux(dot)net> |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Escaping metacharacters |
Date: | 2004-07-18 22:09:10 |
Message-ID: | 1090188550.25749.105.camel@linda |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Thu, 2004-07-15 at 23:02, DarkSamurai wrote:
> Hi,
>
> To prevent SQL injections, I try to neutralize SQL metacharacters.
>
> ex:
>
> Code:
>
>
> > function SQLString($s) {
> > $s = str_replace("'", "\\s", $s)'
> > $s = str_replace("\\", "\\\\", $s);
> > return "'" . $s . "'";
Have you looked at the function PQescapeString() in the libpq library?
Using that would seem to be a simpler way of solving this problem.
Libraries such as Perl DBI have similar functions built in.
--
Oliver Elphick olly(at)lfix(dot)co(dot)uk
Isle of Wight http://www.lfix.co.uk/oliver
GPG: 1024D/A54310EA 92C8 39E7 280E 3631 3F0E 1EC0 5664 7A2F A543 10EA
========================================
"For God so loved the world, that he gave his only
begotten Son, that whosoever believeth in him should
not perish, but have everlasting life." John 3:16
From | Date | Subject | |
---|---|---|---|
Next Message | Andrew Dunstan | 2004-07-19 00:30:45 | function return type |
Previous Message | Marc G. Fournier | 2004-07-18 21:36:30 | Re: Toward better documentation |