| From: | Yonatan Ben-Nes <da(at)canaan(dot)co(dot)il> |
|---|---|
| To: | Hannes Dorbath <light(at)theendofthetunnel(dot)de> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: SQL injection |
| Date: | 2005-11-03 12:19:54 |
| Message-ID: | 436A006A.3040709@canaan.co.il |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Hannes Dorbath wrote:
> On 03.11.2005 04:12, Alex Turner wrote:
>
>> I would have to say that for security purposes - I would want magic
>> quotes _on_ rather than off for the whole reasons of SQL Injection
>> that we already talked about.
>
>
> magic_quotes is evil and does if anything only prevent the simplest
> cases of SQL injections. Keep it turned off. Use
> http://php.net/pg_query_params exclusively to build secure queries..
>
>
The problem with pg_query_params is that you will be forced to use an RC
version of PHP.... I don't know about you but I think that for
production sites I prefer to use the final versions.
I think that prepared statements is the best solution here even if its
encumbering everything alittle...
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Sim Zacks | 2005-11-03 12:20:14 | Re: left join a parenthesised inner join group |
| Previous Message | Sim Zacks | 2005-11-03 11:33:20 | left join a parenthesised inner join group |