From: | Alex Turner <armtuk(at)gmail(dot)com> |
---|---|
To: | Matthew Terenzio <matt(at)jobsforge(dot)com> |
Cc: | Michael Glaesemann <grzm(at)myrealbox(dot)com>, Kevin Murphy <murphy(at)genome(dot)chop(dot)edu>, "Matthew D(dot) Fuller" <fullermd(at)over-yonder(dot)net>, PostgreSQL general <pgsql-general(at)postgresql(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Subject: | Re: SQL injection |
Date: | 2005-11-03 03:12:31 |
Message-ID: | 33c6269f0511021912m26c9507mcd01090ba4c20d34@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Curiously none are security reasons, they are more portability reasons
(and pretty thin ones at that)... but then this is PHP we are talking
about - let me just say register_globals and end it there.
I would have to say that for security purposes - I would want magic
quotes _on_ rather than off for the whole reasons of SQL Injection
that we already talked about. Generally most scripts I write spend
more time sending data to the DB then re-reading straight from the DB
rather than re-using data pushed through POST/GET, and the functions
that are exceptions auto unescape the data again for me...
Alex
On 11/2/05, Matthew Terenzio <matt(at)jobsforge(dot)com> wrote:
>
> On Nov 2, 2005, at 6:08 PM, Michael Glaesemann wrote:
>
> > As an aside, it's interesting to see that the PHP documentation states:
> > ---
> > Magic Quotes is a process that automagically escapes incoming data to
> > the PHP script. It's preferred to code with magic quotes off and to
> > instead escape the data at runtime, as needed.
> Haven't been totally immersed in this thread but here are reasons given
> for not using Magic Quotes:
>
> http://us2.php.net/manual/en/security.magicquotes.whynot.php
>
> And here is pg_escape_string() :
>
> http://us3.php.net/manual/en/function.pg-escape-string.php
>
>
From | Date | Subject | |
---|---|---|---|
Next Message | David Gagnon | 2005-11-03 03:19:53 | Problem with array in plpgsql function .. please help :-) |
Previous Message | Tom Lane | 2005-11-03 02:38:05 | Re: Changing ids conflicting with serial values? |