From: | "Martin Gainty" <mgainty(at)hotmail(dot)com> |
---|---|
To: | "Scott Marlowe" <scott(dot)marlowe(at)gmail(dot)com> |
Cc: | "pgsql-general" <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: stripping HTML, SQL injections ... |
Date: | 2000-11-14 23:59:39 |
Message-ID: | BAY108-DAV621C7E0A9C2059C529A02AE820@phx.gbl |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Scott-
In JavaScript
http://www.java2s.com/Tutorial/JavaScript/0520__Regular-Expressions/StripHTM
L.htm
M--
----- Original Message -----
From: "Scott Marlowe" <scott(dot)marlowe(at)gmail(dot)com>
To: "A.M." <agentm(at)themactionfaction(dot)com>
Cc: "pgsql-general" <pgsql-general(at)postgresql(dot)org>
Sent: Wednesday, November 14, 2007 6:16 PM
Subject: Re: [GENERAL] stripping HTML, SQL injections ...
> On Nov 14, 2007 4:51 PM, A.M. <agentm(at)themactionfaction(dot)com> wrote:
> >
> >
> > On Nov 14, 2007, at 4:23 PM, Scott Marlowe wrote:
> >
> > > On Nov 14, 2007 2:40 PM, madhtr <madhtr(at)schif(dot)org> wrote:
> > >> Quick question, are there any native functions in PostGreSQL 8.1.4
> > >> that will
> > >> strip HTML tags, escape chars, etc?
> > >
> > > I can't think of a lot of native functions, but it's sure easy enough
> > > to roll your own with things like the regex functionality built in.
> >
> > Please don't do that- there are corner cases where a naive regex can
> > fail, leaving the programmer thinking he is covered when he is not.
> > The variety of web languages include filtering modules
> > (HTML::Scrubber)- in the case of Perl or PHP, it can even be run
> > server-side.
>
> And given that pl/PHP can run that inside the database, there's a
> reason you can't do it there?
>
> > Furthermore, one shouldn't use an API which allows for SQL injections.
>
> Oh heck, I hadn't even noticed he was asking about escaping things. I
> guess it really matters what he means by escaping them. If he's
> talking url encoding decoding, that's something you could do safely in
> the db (again, with something like pl/PHP or pl/perl) but SQL escaping
> should be done before the db ever sees the data.
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: explain analyze is your friend
>
From | Date | Subject | |
---|---|---|---|
Next Message | Philip Hallstrom | 2000-11-15 00:10:23 | Re: [ANNOUNCE] [RELEASE ANNOUNCEMENT] v7.0.3 *Final* now Available |
Previous Message | Lamar Owen | 2000-11-14 23:30:10 | PostgreSQL 7.0.3-1 RPMset available. |