Re: escaping and sql injection - Mailing list pgsql-general

From Neil Conway
Subject Re: escaping and sql injection
Date
Msg-id 1045880032.366.10.camel@tokyo
Whole thread Raw
In response to Re: escaping and sql injection  (Martijn van Oosterhout <kleptog@svana.org>)
List pgsql-general
On Fri, 2003-02-21 at 19:07, Martijn van Oosterhout wrote:
> You can solve the SQL injection problem by escaping all single quotes (')
> and blackslashes (\) with a backslash.

Rather than doing this by hand, I think it's probably wiser to let your
language interface do it for you. For example, libpq provides a
PQescapeString() function for escaping strings.

That particular function doesn't handle semi-colons, however.

Cheers,

Neil
--
Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC




pgsql-general by date:

Previous
From: Peter Eisentraut
Date:
Subject: Re: regexp question
Next
From: Tom Lane
Date:
Subject: Re: A problem with sequences...