Quick Links

Re: (security) Rules of thumb for escaping user input?

From:	Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To:	Bill Gribble <grib(at)linuxdevel(dot)com>
Cc:	pgsql-general(at)postgresql(dot)org
Subject:	Re: (security) Rules of thumb for escaping user input?
Date:	2002-05-15 15:25:56
Message-ID:	8638.1021476356@sss.pgh.pa.us
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-general

Bill Gribble <grib(at)linuxdevel(dot)com> writes:
> So the only escaping I do in my app currently is to replace ' with '' in
> user-input strings. If I assume that the goal is to prevent any
> user-input strings from being evaluated as SQL statements (only to allow
> user input as constant values), what other escaping do I need to do?

In PG you also need to double backslashes. That's it --- there are no
other special characters in string literals.

regards, tom lane

In response to

(security) Rules of thumb for escaping user input? at 2002-05-15 14:56:45 from Bill Gribble

Browse pgsql-general by date

	From	Date	Subject
Next Message	Andy DePue	2002-05-15 15:33:13	Re: Spped of max
Previous Message	Andrew Sullivan	2002-05-15 15:24:47	Re: Is it better to use OS cache or max out memory usage of PostgreSQL?