On Mon, Mar 23, 2009 at 12:59 AM, Stephen Cook <sclists(at)gmail(dot)com> wrote:
> You should use pg_query_params() rather than build a SQL statement in your
> code, to prevent SQL injection attacks. Also, if you are going to read this
> data back out and show it on a web page you probably should make sure there
> is no rogue HTML or JavaScript or anything in there with htmlentities() or
> somesuch.
Are you saying pg_quer_params is MORE effective than pg_escape_string
at deflecting SQL injection attacks?