Re: stripping HTML, SQL injections ...

Scott-

In JavaScript
http://www.java2s.com/Tutorial/JavaScript/0520__Regular-Expressions/StripHTM
L.htm

M--
----- Original Message -----
From: "Scott Marlowe" <scott(dot)marlowe(at)gmail(dot)com>
To: "A.M." <agentm(at)themactionfaction(dot)com>
Cc: "pgsql-general" <pgsql-general(at)postgresql(dot)org>
Sent: Wednesday, November 14, 2007 6:16 PM
Subject: Re: [GENERAL] stripping HTML, SQL injections ...

> On Nov 14, 2007 4:51 PM, A.M. <agentm(at)themactionfaction(dot)com> wrote:
> >
> >
> > On Nov 14, 2007, at 4:23 PM, Scott Marlowe wrote:
> >
> > > On Nov 14, 2007 2:40 PM, madhtr <madhtr(at)schif(dot)org> wrote:
> > >> Quick question, are there any native functions in PostGreSQL 8.1.4
> > >> that will
> > >> strip HTML tags, escape chars, etc?
> > >
> > > I can't think of a lot of native functions, but it's sure easy enough
> > > to roll your own with things like the regex functionality built in.
> >
> > Please don't do that- there are corner cases where a naive regex can
> > fail, leaving the programmer thinking he is covered when he is not.
> > The variety of web languages include filtering modules
> > (HTML::Scrubber)- in the case of Perl or PHP, it can even be run
> > server-side.
>
> And given that pl/PHP can run that inside the database, there's a
> reason you can't do it there?
>
> > Furthermore, one shouldn't use an API which allows for SQL injections.
>
> Oh heck, I hadn't even noticed he was asking about escaping things. I
> guess it really matters what he means by escaping them. If he's
> talking url encoding decoding, that's something you could do safely in
> the db (again, with something like pl/PHP or pl/perl) but SQL escaping
> should be done before the db ever sees the data.
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: explain analyze is your friend
>