From: | Yonatan Ben-Nes <da(at)canaan(dot)co(dot)il> |
---|---|
To: | Hannes Dorbath <light(at)theendofthetunnel(dot)de> |
Cc: | pgsql-general(at)postgresql(dot)org |
Subject: | Re: SQL injection |
Date: | 2005-11-03 12:19:54 |
Message-ID: | 436A006A.3040709@canaan.co.il |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Hannes Dorbath wrote:
> On 03.11.2005 04:12, Alex Turner wrote:
>
>> I would have to say that for security purposes - I would want magic
>> quotes _on_ rather than off for the whole reasons of SQL Injection
>> that we already talked about.
>
>
> magic_quotes is evil and does if anything only prevent the simplest
> cases of SQL injections. Keep it turned off. Use
> http://php.net/pg_query_params exclusively to build secure queries..
>
>
The problem with pg_query_params is that you will be forced to use an RC
version of PHP.... I don't know about you but I think that for
production sites I prefer to use the final versions.
I think that prepared statements is the best solution here even if its
encumbering everything alittle...
From | Date | Subject | |
---|---|---|---|
Next Message | Sim Zacks | 2005-11-03 12:20:14 | Re: left join a parenthesised inner join group |
Previous Message | Sim Zacks | 2005-11-03 11:33:20 | left join a parenthesised inner join group |