From: | "Scott Marlowe" <scott(dot)marlowe(at)gmail(dot)com> |
---|---|
To: | A(dot)M(dot) <agentm(at)themactionfaction(dot)com> |
Cc: | pgsql-general <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: stripping HTML, SQL injections ... |
Date: | 2007-11-14 23:16:22 |
Message-ID: | dcc563d10711141516v1f14f1a6rdaeb041b2577aeaf@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
On Nov 14, 2007 4:51 PM, A.M. <agentm(at)themactionfaction(dot)com> wrote:
>
>
> On Nov 14, 2007, at 4:23 PM, Scott Marlowe wrote:
>
> > On Nov 14, 2007 2:40 PM, madhtr <madhtr(at)schif(dot)org> wrote:
> >> Quick question, are there any native functions in PostGreSQL 8.1.4
> >> that will
> >> strip HTML tags, escape chars, etc?
> >
> > I can't think of a lot of native functions, but it's sure easy enough
> > to roll your own with things like the regex functionality built in.
>
> Please don't do that- there are corner cases where a naive regex can
> fail, leaving the programmer thinking he is covered when he is not.
> The variety of web languages include filtering modules
> (HTML::Scrubber)- in the case of Perl or PHP, it can even be run
> server-side.
And given that pl/PHP can run that inside the database, there's a
reason you can't do it there?
> Furthermore, one shouldn't use an API which allows for SQL injections.
Oh heck, I hadn't even noticed he was asking about escaping things. I
guess it really matters what he means by escaping them. If he's
talking url encoding decoding, that's something you could do safely in
the db (again, with something like pl/PHP or pl/perl) but SQL escaping
should be done before the db ever sees the data.
From | Date | Subject | |
---|---|---|---|
Next Message | Bob Pawley | 2007-11-14 23:17:29 | Serial IDs |
Previous Message | A.M. | 2007-11-14 22:51:17 | Re: stripping HTML, SQL injections ... |