| From: | Scott Marlowe <scott(dot)marlowe(at)gmail(dot)com> |
|---|---|
| To: | RebeccaJ <rebeccaj(at)gmail(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: text column constraint, newbie question |
| Date: | 2009-03-22 19:36:55 |
| Message-ID: | dcc563d10903221236v78b21844ua37e76bfc5a7f9f9@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Sun, Mar 22, 2009 at 11:36 AM, RebeccaJ <rebeccaj(at)gmail(dot)com> wrote:
>> > Are there characters, maybe non-printing characters, or perhaps
>> > even whole phrases, that could cause problems in my database or
>> > application if I were to allow users to enter them into that column?
>>
>> > If so, does anyone happen to have a regular expression handy that you
>> > think is a good choice for text columns' CHECK constraint? Or maybe a
>> > link to a discussion of this topic?
>>
>> Nope, there's nothing you can put into a text to break pgsql.
>> However, if you are using regular old queries, you'd be advised to use
>> pg_escape_string() function in php to prevent SQL injection attacks.
>
> Thanks! I'll check out pg_escape_string() in php, and I see that
> PostgreSQL also has something called PQescapeStringConn... I wonder if
> I should use both...
Isn't PGescapeStringConn a libpq function? I'm pretty sure that php's
pg_escape_string is just calling that for you, so no need to use both.
> Also, I should have asked: what about char and varchar fields? Can
> those also handle any characters, as long as I consider SQL injection
> attacks?
ayup. As long as they're legal for your encoding, they'll go right in.
If you wanna stuff in anything no matter the encoding, use a database
initialized for SQL_ASCII encoding.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | M L | 2009-03-22 22:47:48 | The tuple structure of a not-yet-assigned record is indeterminate. |
| Previous Message | Tom Lane | 2009-03-22 19:30:32 | Re: Understanding Execution Plans |