Re: text column constraint, newbie question
| От | David Fetter |
|---|---|
| Тема | Re: text column constraint, newbie question |
| Дата | |
| Msg-id | 20090323145155.GC10660@fetter.org обсуждение |
| Ответ на | Re: text column constraint, newbie question (Scott Marlowe <scott.marlowe@gmail.com>) |
| Список | pgsql-general |
On Mon, Mar 23, 2009 at 01:07:18AM -0600, Scott Marlowe wrote: > On Mon, Mar 23, 2009 at 12:59 AM, Stephen Cook <sclists@gmail.com> wrote: > > You should use pg_query_params() rather than build a SQL statement > > in your code, to prevent SQL injection attacks. Also, if you are > > going to read this data back out and show it on a web page you > > probably should make sure there is no rogue HTML or JavaScript or > > anything in there with htmlentities() or somesuch. > > Are you saying pg_quer_params is MORE effective than > pg_escape_string at deflecting SQL injection attacks? Yes. Much more. Cheers, David. -- David Fetter <david@fetter.org> http://fetter.org/ Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter Skype: davidfetter XMPP: david.fetter@gmail.com Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate
В списке pgsql-general по дате отправления: