"Nigel J. Andrews" <nandrews@investsystems.co.uk> writes:
> One thing that always gets me is why people think quoting the ' in a string is
> a security feature when they don't allow for someone giving \' in the
> string. On the other hand I'm never sure how to protect against such 'odd
> number of escapes' attacks. Anyone got any clues? Does PQescape do it?
That just means you have to escape \ as well as '.
But the best way to deal with this is to use placeholders and prepared queries
and provide the data out of band. This completely sidesteps the issue and
guarantees you can't get it wrong by mistake ever. Mixing user-provided data
with program code is a recipe for security holes.
--
greg
