I just LOVE it when I ask a very straightforward question on a mailing list, and get an “answer” that doesn’t address it at all.
Folks,The php mysql api has a function "mysql_real_escape_string" that seems to be able to thwart known SQL injection attacks -- at least the ones of which I and other people I've discussed this with know. I am curious to know if pg_escape_string is as effective. If not, what would need to be modified to make it more effective? (there is a possibility that I may be able to get a grad student to work on this at the center, so detailed responses would be appreciated.)
The best advice is to use bind parameters rather than trying to build SQL strings consisting partly of user input.
Yes, that’s not bad advice, and I’m sure you’re just trying to help, but could you ANSWER THE FUCKING QUESTION? Or, if you don’t know, DON’T ANSWER.
Original link: http://www.livejournal.com/users/funkatron/102198.html