| From: | Ed Finkler <coj(at)cerias(dot)purdue(dot)edu> |
|---|---|
| To: | Bruno Wolff III <bruno(at)wolff(dot)to>, pgsql-php(at)postgresql(dot)org |
| Subject: | Re: Effectiveness of pg_escape_string at blocking SQL injection attacks |
| Date: | 2005-05-27 16:06:27 |
| Message-ID: | 42974583.10207@cerias.purdue.edu |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-php |
Bruno Wolff III wrote:
> The best advice is to use bind parameters rather than trying to build
> SQL strings consisting partly of user input.
That's good advice, but I suspect not everyone is going to know this,
and will have a tendency to use the escaping function to try and clean
intput. Do you have any suggestions about improving the security of the
pg_escape_string function?
--
Ed Finkler
Web and Security Archive Administrator
CERIAS - Purdue University
http://www.cerias.purdue.edu/
v: 765.496.6762 f: 764.496.3181
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Volkan YAZICI | 2005-05-27 16:25:52 | Re: Effectiveness of pg_escape_string at blocking SQL injection attacks |
| Previous Message | Bruno Wolff III | 2005-05-27 15:59:22 | Re: Effectiveness of pg_escape_string at blocking SQL injection attacks |