Home > mailing lists

Re: text column constraint, newbie question - Mailing list pgsql-general

From	David Fetter
Subject	Re: text column constraint, newbie question
Date	March 23, 2009 14:52:03
Msg-id	20090323145155.GC10660@fetter.org Whole thread Raw
In response to	Re: text column constraint, newbie question (Scott Marlowe <scott.marlowe@gmail.com>)
List	pgsql-general

Tree view

On Mon, Mar 23, 2009 at 01:07:18AM -0600, Scott Marlowe wrote:
> On Mon, Mar 23, 2009 at 12:59 AM, Stephen Cook <sclists@gmail.com> wrote:
> > You should use pg_query_params() rather than build a SQL statement
> > in your code, to prevent SQL injection attacks. Also, if you are
> > going to read this data back out and show it on a web page you
> > probably should make sure there is no rogue HTML or JavaScript or
> > anything in there with htmlentities() or somesuch.
>
> Are you saying pg_quer_params is MORE effective than
> pg_escape_string at deflecting SQL injection attacks?

Yes.  Much more.

Cheers,
David.
--
David Fetter <david@fetter.org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david.fetter@gmail.com

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate

pgsql-general by date:

From: jrufener
Date: 23 March 2009, 14:45:58
Subject: problem with at proramn

From: DM
Date: 23 March 2009, 15:04:24
Subject: Re: pg_restore error - Any Idea?

Re: text column constraint, newbie question - Mailing list pgsql-general

Previous

Next