Home > mailing lists

Re: Escaping metacharacters - Mailing list pgsql-hackers

From	Oliver Elphick
Subject	Re: Escaping metacharacters
Date	July 18, 2004 22:09:20
Msg-id	1090188550.25749.105.camel@linda Whole thread Raw
In response to	Escaping metacharacters (DarkSamurai <julio@invlaid.linux.net>)
Responses	Re: Escaping metacharacters
List	pgsql-hackers

Tree view

On Thu, 2004-07-15 at 23:02, DarkSamurai wrote:
> Hi,
> 
> To prevent SQL injections, I try to neutralize SQL metacharacters.
> 
> ex:
> 
> Code:
> 
> 
> > function SQLString($s) {
> >     $s = str_replace("'", "\\s", $s)'
> >     $s = str_replace("\\", "\\\\", $s);
> >     return "'" . $s . "'";

Have you looked at the function PQescapeString() in the libpq library? 
Using that would seem to be a simpler way of solving this problem.

Libraries such as Perl DBI have similar functions built in.

-- 
Oliver Elphick                                          olly@lfix.co.uk
Isle of Wight                              http://www.lfix.co.uk/oliver
GPG: 1024D/A54310EA  92C8 39E7 280E 3631 3F0E  1EC0 5664 7A2F A543 10EA
========================================   "For God so loved the world, that he gave his only      begotten Son, that
whosoeverbelieveth in him should      not perish, but have everlasting life."     John 3:16

pgsql-hackers by date:

From: Simon Riggs
Date: 18 July 2004, 21:41:39
Subject: Re: Why we really need timelines *now* in PITR

From: Andrew Dunstan
Date: 19 July 2004, 00:30:54
Subject: function return type

Re: Escaping metacharacters - Mailing list pgsql-hackers

Previous

Next