Re: PQescapeStringConn problem

Oliver Kindernay <oliver.kindernay@gmail.com> writes:
> Hi. I am using libpq in my C application to comunicate with database.
> Application gets input from untrustworthy source and then uses it in
> SQL requests. To avoid SQL injection I want to use PQescapeStringConn
> function. The problem is, that i don't know how to properly use this
> function.

> http://www.postgresql.org/docs/7.3/static/libpq-exec.html#LIBPQ-EXEC-ESCAPE-STRING

> How can I know the size of "to" buffer before I call this function?

I trust you're not *really* using Postgres 7.3?  But in any case,
that documentation says

    to shall point to a buffer that is able to hold at least one more byte
    than twice the value of length

ie maximum output is 2 bytes per input byte, plus a null terminator.

            regards, tom lane