| From: | Stephen Cook <sclists(at)gmail(dot)com> |
|---|---|
| To: | RebeccaJ <rebeccaj(at)gmail(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: text column constraint, newbie question |
| Date: | 2009-03-23 06:59:23 |
| Message-ID: | 49C7334B.2010400@gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
You should use pg_query_params() rather than build a SQL statement in
your code, to prevent SQL injection attacks. Also, if you are going to
read this data back out and show it on a web page you probably should
make sure there is no rogue HTML or JavaScript or anything in there with
htmlentities() or somesuch.
RebeccaJ wrote:
>>> Are there characters, maybe non-printing characters, or perhaps
>>> even whole phrases, that could cause problems in my database or
>>> application if I were to allow users to enter them into that column?
>>> If so, does anyone happen to have a regular expression handy that you
>>> think is a good choice for text columns' CHECK constraint? Or maybe a
>>> link to a discussion of this topic?
>> Nope, there's nothing you can put into a text to break pgsql.
>> However, if you are using regular old queries, you'd be advised to use
>> pg_escape_string() function in php to prevent SQL injection attacks.
>
> Thanks! I'll check out pg_escape_string() in php, and I see that
> PostgreSQL also has something called PQescapeStringConn... I wonder if
> I should use both...
>
> Also, I should have asked: what about char and varchar fields? Can
> those also handle any characters, as long as I consider SQL injection
> attacks?
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Scott Marlowe | 2009-03-23 07:07:18 | Re: text column constraint, newbie question |
| Previous Message | Erik Jones | 2009-03-23 06:31:35 | Re: [SQL] bash & postgres |