On Fri, May 27, 2005 at 10:57:16 -0500,
Ed Finkler <coj(at)cerias(dot)purdue(dot)edu> wrote:
> Folks,
>
> The php mysql api has a function "mysql_real_escape_string" that seems
> to be able to thwart known SQL injection attacks -- at least the ones of
> which I and other people I've discussed this with know. I am curious to
> know if pg_escape_string is as effective. If not, what would need to be
> modified to make it more effective?
>
> (there is a possibility that I may be able to get a grad student to work
> on this at the center, so detailed responses would be appreciated.)
The best advice is to use bind parameters rather than trying to build
SQL strings consisting partly of user input.