| From: | <operationsengineer1(at)yahoo(dot)com> |
|---|---|
| To: | Ed Finkler <coj(at)cerias(dot)purdue(dot)edu>, Volkan YAZICI <volkan(dot)yazici(at)gmail(dot)com> |
| Cc: | pgsql-php(at)postgresql(dot)org |
| Subject: | Re: Effectiveness of pg_escape_string at blocking SQL injection |
| Date: | 2005-05-27 17:25:52 |
| Message-ID: | 20050527172552.50460.qmail@web52409.mail.yahoo.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-php |
--- Ed Finkler <coj(at)cerias(dot)purdue(dot)edu> wrote:
> Volkan YAZICI wrote:
>
> [snip]
>
> > If you think, they're not enough for SQL-Injection
> attacks, I'd advice
> > you to patch libpq code, not PHP.
>
> This is very helpful information. My initial
> thinking is that this
> wouldn't be effective at catching SQL injections,
> but I'll need to
> bounce this off a few other folks.
>
> Thanks!
do let us all know what you find out.
bruno and all... what are bind parameters? how can i
avoid building sql from user input when my sql depends
on user input?
tia...
__________________________________
Do you Yahoo!?
Yahoo! Small Business - Try our new Resources site
http://smallbusiness.yahoo.com/resources/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruno Wolff III | 2005-05-27 18:13:41 | Re: Effectiveness of pg_escape_string at blocking SQL injection |
| Previous Message | Ed Finkler | 2005-05-27 16:33:33 | Re: Effectiveness of pg_escape_string at blocking SQL injection |