On Mon, Mar 23, 2009 at 3:07 AM, Scott Marlowe <scott.marlowe@gmail.com> wrote:
> Are you saying pg_quer_params is MORE effective than pg_escape_string
> at deflecting SQL injection attacks?
pg_query_params() will protect non-strings. For instance, read a
number in from user input and do something of the form " and
foo=$my_number". Even if you escape the string, an attacker doesn't
need a ' to close a string, so he can manage injection. If it's " and
foo=$1" using pg_query_params(), however, that's not possible.
--
- David T. Wilson
david.t.wilson@gmail.com