In article <27702.1090854781@sss.pgh.pa.us>,
Tom Lane <tgl@sss.pgh.pa.us> writes:
> Geoff Caplan <geoff@variosoft.com> writes:
>> Obviously, proper validation is a given for all kinds of reasons. But
>> the problem with validation/escaping as the primary defense against
>> injection seems to be that simply escaping would not catch every type
>> of insertion via strings.
> I think you misunderstood. Escaping is perfectly safe (given a correct
> escaping function) if it's used on *every* untrustworthy input string.
> The argument for the "keep data separate from code" approach is
> essentially just that it's easier to be sure you haven't forgotten
> anyplace where you need to escape.
Exactly. As long as you escape everything, you're safe. The only
thing to remember is that that you have to escape in both directions:
whatever you get from your web page and want to put into the DB should
be SQL-escaped, and whatever you get from the DB and want to display
on a web page should be HMTL-escaped (including error messages from
PostgreSQL).
