| From: | "Daniel Verite" <daniel(at)manitou-mail(dot)org> |
|---|---|
| To: | "RebeccaJ" <rebeccaj(at)gmail(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: text column constraint, newbie question |
| Date: | 2009-03-24 11:24:20 |
| Message-ID: | 546c88aa-fbd1-4d32-98aa-15c8b691c38d@mm |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
RebeccaJ wrote:
> Thanks, everyone, for your contribution to this thread. I'm
> approaching the database design of my web application differently,
> now. Before, I was planning to have CHECK constraints in all of my
> text or char fields, to keep out all semicolons, single quotes, and
> anything else that looked dangerous. Now I'm thinking that I'll be
> using htmlentities(), pg_escape_string() and pg_query_params() as
> safety filters, and otherwise allowing users to store whatever they
> want to, in the fields where I store/retrieve user input.
Note that htmlentities() expects LATIN1-encoded strings and is thus
unusable on UTF-8 contents.
So if you end up talking UTF-8 with the database, you'll probably need
to use htmlspecialchars() instead, and UTF-8 as your HTML charset.
Best regards,
--
Daniel
PostgreSQL-powered mail user agent and storage:
http://www.manitou-mail.org
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kev | 2009-03-24 12:24:53 | [win32] 8.3.5 -> 8.3.7 install trouble |
| Previous Message | Роман Маширов | 2009-03-24 10:33:44 | Timezone calculation question |