Re: Effectiveness of pg_escape_string at blocking SQL injection attacks

From: Bruno Wolff III <bruno(at)wolff(dot)to>
To: Ed Finkler <coj(at)cerias(dot)purdue(dot)edu>
Cc: pgsql-php(at)postgresql(dot)org
Subject: Re: Effectiveness of pg_escape_string at blocking SQL injection attacks
Date: 2005-05-27 15:59:22
Message-ID: 20050527155922.GA3930@wolff.to
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-php

On Fri, May 27, 2005 at 10:57:16 -0500,
Ed Finkler <coj(at)cerias(dot)purdue(dot)edu> wrote:
> Folks,
>
> The php mysql api has a function "mysql_real_escape_string" that seems
> to be able to thwart known SQL injection attacks -- at least the ones of
> which I and other people I've discussed this with know. I am curious to
> know if pg_escape_string is as effective. If not, what would need to be
> modified to make it more effective?
>
> (there is a possibility that I may be able to get a grad student to work
> on this at the center, so detailed responses would be appreciated.)

The best advice is to use bind parameters rather than trying to build
SQL strings consisting partly of user input.

In response to

Responses

Browse pgsql-php by date

  From Date Subject
Next Message Ed Finkler 2005-05-27 16:06:27 Re: Effectiveness of pg_escape_string at blocking SQL injection attacks
Previous Message Ed Finkler 2005-05-27 15:57:16 Effectiveness of pg_escape_string at blocking SQL injection attacks