| From: | David Fetter <david(at)fetter(dot)org> |
|---|---|
| To: | Scott Marlowe <scott(dot)marlowe(at)gmail(dot)com> |
| Cc: | Stephen Cook <sclists(at)gmail(dot)com>, RebeccaJ <rebeccaj(at)gmail(dot)com>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: text column constraint, newbie question |
| Date: | 2009-03-23 14:51:55 |
| Message-ID: | 20090323145155.GC10660@fetter.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Mon, Mar 23, 2009 at 01:07:18AM -0600, Scott Marlowe wrote:
> On Mon, Mar 23, 2009 at 12:59 AM, Stephen Cook <sclists(at)gmail(dot)com> wrote:
> > You should use pg_query_params() rather than build a SQL statement
> > in your code, to prevent SQL injection attacks. Also, if you are
> > going to read this data back out and show it on a web page you
> > probably should make sure there is no rogue HTML or JavaScript or
> > anything in there with htmlentities() or somesuch.
>
> Are you saying pg_quer_params is MORE effective than
> pg_escape_string at deflecting SQL injection attacks?
Yes. Much more.
Cheers,
David.
--
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter
Skype: davidfetter XMPP: david(dot)fetter(at)gmail(dot)com
Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate
| From | Date | Subject | |
|---|---|---|---|
| Next Message | DM | 2009-03-23 15:04:14 | Re: pg_restore error - Any Idea? |
| Previous Message | jrufener | 2009-03-23 14:45:51 | problem with at proramn |