The PostgreSQL-8.1.4 release documentation says we should be using
PostgreSQL-supplied string escaping routines, not "homebrew" methods.
No argument from me on this.
But in the "User Guide to the 8.1.4 Security Update", it says:
| An example of an application at risk is a PHP program that uses
| addslashes() or magic_quotes. We note that these tools have been deprecated
| by the PHP group since version 4.0.
Can anyone provide a source for the statement? It's odd, since PHP-4.0 was
released on 2000-05-22, shortly after PostgreSQL-7.0, and the PQescapeString()
function wasn't even added to libpq until PostgreSQL-7.2 almost 2 years later.
The current PHP reference manual doesn't discourage use of addslashes() for
database input. I agree with you - this is wrong - but where did the
"We note... deprecated by the PHP group since version 4.0" line come from?