Home > mailing lists

Re: (security) Rules of thumb for escaping user input? - Mailing list pgsql-general

From	Tom Lane
Subject	Re: (security) Rules of thumb for escaping user input?
Date	May 15, 2002 14:31:32
Msg-id	8638.1021476356@sss.pgh.pa.us Whole thread Raw
In response to	(security) Rules of thumb for escaping user input? (Bill Gribble <grib@linuxdevel.com>)
List	pgsql-general

Tree view

Bill Gribble <grib@linuxdevel.com> writes:
> So the only escaping I do in my app currently is to replace ' with '' in
> user-input strings.  If I assume that the goal is to prevent any
> user-input strings from being evaluated as SQL statements (only to allow
> user input as constant values), what other escaping do I need to do?

In PG you also need to double backslashes.  That's it --- there are no
other special characters in string literals.

            regards, tom lane

pgsql-general by date:

From: Andrew Sullivan
Date: 15 May 2002, 14:30:51
Subject: Re: Is it better to use OS cache or max out memory usage of PostgreSQL?

From: Andy DePue
Date: 15 May 2002, 14:43:36
Subject: Re: Spped of max

Re: (security) Rules of thumb for escaping user input? - Mailing list pgsql-general

Previous

Next