| From: | Matthew Terenzio <matt(at)jobsforge(dot)com> |
|---|---|
| To: | Michael Glaesemann <grzm(at)myrealbox(dot)com> |
| Cc: | Kevin Murphy <murphy(at)genome(dot)chop(dot)edu>, Alex Turner <armtuk(at)gmail(dot)com>, "Matthew D(dot) Fuller" <fullermd(at)over-yonder(dot)net>, PostgreSQL general <pgsql-general(at)postgresql(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Subject: | Re: SQL injection |
| Date: | 2005-11-03 00:09:00 |
| Message-ID: | 767911e873f98ba28df3c639f738ec3f@jobsforge.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Nov 2, 2005, at 6:08 PM, Michael Glaesemann wrote:
> As an aside, it's interesting to see that the PHP documentation states:
> ---
> Magic Quotes is a process that automagically escapes incoming data to
> the PHP script. It's preferred to code with magic quotes off and to
> instead escape the data at runtime, as needed.
Haven't been totally immersed in this thread but here are reasons given
for not using Magic Quotes:
http://us2.php.net/manual/en/security.magicquotes.whynot.php
And here is pg_escape_string() :
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2005-11-03 00:12:36 | Re: Lock Modes (Documentation) |
| Previous Message | Patrick Hatcher | 2005-11-02 23:58:44 | Re: Data Dictionary generator? |