Home > mailing lists

Re: stripping HTML, SQL injections ... - Mailing list pgsql-general

From	A.M.
Subject	Re: stripping HTML, SQL injections ...
Date	November 14, 2007 21:51:34
Msg-id	A8645D1F-B662-436F-AD65-AE84865AA82E@themactionfaction.com Whole thread Raw
In response to	Re: stripping HTML, SQL injections ... ("Scott Marlowe" <scott.marlowe@gmail.com>)
Responses	Re: stripping HTML, SQL injections ... ("Scott Marlowe" <scott.marlowe@gmail.com>) Re: stripping HTML, SQL injections ... (Kevin Hunter <hunteke@earlham.edu>)
List	pgsql-general

Tree view

On Nov 14, 2007, at 4:23 PM, Scott Marlowe wrote:

> On Nov 14, 2007 2:40 PM, madhtr <madhtr@schif.org> wrote:
>> Quick question, are there any native functions in PostGreSQL 8.1.4
>> that will
>> strip HTML tags, escape chars, etc?
>
> I can't think of a lot of native functions, but it's sure easy enough
> to roll your own with things like the regex functionality built in.

Please don't do that- there are corner cases where a naive regex can
fail, leaving the programmer thinking he is covered when he is not.
The variety of web languages include filtering modules
(HTML::Scrubber)- in the case of Perl or PHP, it can even be run
server-side.

Furthermore, one shouldn't use an API which allows for SQL injections.

Cheers,
M

pgsql-general by date:

From: dycharles
Date: 14 November 2007, 21:05:41
Subject: Qeury a boolean column?(using postgresql & EJB)

From: "Scott Marlowe"
Date: 14 November 2007, 22:16:31
Subject: Re: stripping HTML, SQL injections ...

Re: stripping HTML, SQL injections ... - Mailing list pgsql-general

Previous

Next