Home > mailing lists

Re: Effectiveness of pg_escape_string at blocking SQL injection attacks - Mailing list pgsql-php

From	Ed Finkler
Subject	Re: Effectiveness of pg_escape_string at blocking SQL injection attacks
Date	May 27, 2005 16:06:16
Msg-id	42974583.10207@cerias.purdue.edu Whole thread Raw
In response to	Re: Effectiveness of pg_escape_string at blocking SQL injection attacks (Bruno Wolff III <bruno@wolff.to>)
List	pgsql-php

Tree view

Bruno Wolff III wrote:

> The best advice is to use bind parameters rather than trying to build
> SQL strings consisting partly of user input.

That's good advice, but I suspect not everyone is going to know this,
and will have a tendency to use the escaping function to try and clean
intput.  Do you have any suggestions about improving the security of the
pg_escape_string function?

--
Ed Finkler
Web and Security Archive Administrator
CERIAS - Purdue University
http://www.cerias.purdue.edu/
v: 765.496.6762  f: 764.496.3181

pgsql-php by date:

From: Bruno Wolff III
Date: 27 May 2005, 16:00:48
Subject: Re: Effectiveness of pg_escape_string at blocking SQL injection attacks

From: Volkan YAZICI
Date: 27 May 2005, 16:26:12
Subject: Re: Effectiveness of pg_escape_string at blocking SQL injection attacks

Re: Effectiveness of pg_escape_string at blocking SQL injection attacks - Mailing list pgsql-php

Previous

Next