| From: | ljb <ljb220(at)mindspring(dot)com> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | 8.1.4: Who says "PHP deprecated addslashes since 4.0"? |
| Date: | 2006-05-25 00:42:00 |
| Message-ID: | e52ugo$1hnk$1@news.hub.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
The PostgreSQL-8.1.4 release documentation says we should be using
PostgreSQL-supplied string escaping routines, not "homebrew" methods.
No argument from me on this.
But in the "User Guide to the 8.1.4 Security Update", it says:
| An example of an application at risk is a PHP program that uses
| addslashes() or magic_quotes. We note that these tools have been deprecated
| by the PHP group since version 4.0.
Can anyone provide a source for the statement? It's odd, since PHP-4.0 was
released on 2000-05-22, shortly after PostgreSQL-7.0, and the PQescapeString()
function wasn't even added to libpq until PostgreSQL-7.2 almost 2 years later.
The current PHP reference manual doesn't discourage use of addslashes() for
database input. I agree with you - this is wrong - but where did the
"We note... deprecated by the PHP group since version 4.0" line come from?
| From | Date | Subject | |
|---|---|---|---|
| Next Message | TJ O'Donnell | 2006-05-25 01:05:42 | Re: recompliing c-language functions with new releases of postgres |
| Previous Message | Alejandro Michelin Salomon ( Adinet ) | 2006-05-25 00:10:34 | RES: PK with an expression in field list |