| From: | Kevin Hunter <hunteke(at)earlham(dot)edu> |
|---|---|
| To: | "A(dot)M(dot)" <agentm(at)themactionfaction(dot)com> |
| Cc: | Postgres General List <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: stripping HTML, SQL injections ... |
| Date: | 2007-11-18 21:29:29 |
| Message-ID: | 4740AEB9.9010005@earlham.edu |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
At 5:51p -0500 on 14 Nov 2007, A.M. wrote:
> On Nov 14, 2007, at 4:23 PM, Scott Marlowe wrote:
>
>> On Nov 14, 2007 2:40 PM, madhtr <madhtr(at)schif(dot)org> wrote:
>>> Quick question, are there any native functions in PostGreSQL 8.1.4
>>> that will strip HTML tags, escape chars, etc?
>>
>> I can't think of a lot of native functions, but it's sure easy enough
>> to roll your own with things like the regex functionality built in.
>
> Please don't do that- there are corner cases where a naive regex can
> fail, leaving the programmer thinking he is covered when he is not. The
> variety of web languages include filtering modules (HTML::Scrubber)- in
> the case of Perl or PHP, it can even be run server-side.
>
> Furthermore, one shouldn't use an API which allows for SQL injections.
Sorry for the 4-day late response (out of town). Doesn't Postgres do
the escaping for you if you prepare the statement before hand? It still
doesn't remove the HTML tags, though ...
Kevin
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Martijn van Oosterhout | 2007-11-18 21:44:49 | Re: 8.3b2 XPath-based function index server crash |
| Previous Message | Matt Magoffin | 2007-11-18 21:02:20 | Re: 8.3b2 XPath-based function index server crash |