| From: | Raymond O'Donnell <rod(at)iol(dot)ie> |
|---|---|
| To: | Sylvain Racine <syracine(at)sympatico(dot)ca> |
| Cc: | pgsql-php(at)postgresql(dot)org |
| Subject: | Re: Use of pg_escape_string() |
| Date: | 2009-11-22 19:44:48 |
| Message-ID: | 4B0994B0.9040406@iol.ie |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-php |
On 22/11/2009 19:22, Sylvain Racine wrote:
> Hello,
>
> I use to hear about to escape every variables who come from user in PHP.
> Most programmers around me use MySQL with mysql_escape_string(). Because
> I program with PostgreSQL, I take advantage to use pg_escape_string().
> Everything goes well, up I entered data with apostrophe(').
> pg_escape_string() escapes my apostrophe with another apostrophe ('').
> My data are well store in database. No error... except that appears a
> double apostrophe. This is not what I want.
>
> Maybe something is wrong in my program. Here is a sample of what I use
> to store data in table "personnes" which have two columns: firstname,
> lastname. I remove database connection and construction of objects
> Minute and Personnes.
Where is the INSERTed data coming from? - Is it coming from data
submitted by GET or POST? - if so, is magic_quotes_gpc turned on? If it
is, this could explain what you're seeing.
BTW, it's much better to use parametrised queries - look up
pg_query_params in the PHP docs. This looks after all quoting for you
automatically, and prevents SQL injection attacks.
Ray.
--
Raymond O'Donnell :: Galway :: Ireland
rod(at)iol(dot)ie
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Eric Chamberlain | 2009-11-23 17:31:24 | Re: Use of pg_escape_string() |
| Previous Message | Sylvain Racine | 2009-11-22 19:22:07 | Use of pg_escape_string() |