On Thu, 2004-07-15 at 23:02, DarkSamurai wrote:
> Hi,
>
> To prevent SQL injections, I try to neutralize SQL metacharacters.
>
> ex:
>
> Code:
>
>
> > function SQLString($s) {
> > $s = str_replace("'", "\\s", $s)'
> > $s = str_replace("\\", "\\\\", $s);
> > return "'" . $s . "'";
Have you looked at the function PQescapeString() in the libpq library?
Using that would seem to be a simpler way of solving this problem.
Libraries such as Perl DBI have similar functions built in.
--
Oliver Elphick olly@lfix.co.uk
Isle of Wight http://www.lfix.co.uk/oliver
GPG: 1024D/A54310EA 92C8 39E7 280E 3631 3F0E 1EC0 5664 7A2F A543 10EA
======================================== "For God so loved the world, that he gave his only begotten Son, that
whosoeverbelieveth in him should not perish, but have everlasting life." John 3:16