On Sun, Apr 03, 2005 at 03:27:47AM +0300, Volkan YAZICI wrote:
>
> By using PQescapeString() and PQescapeBytea() we can protect SQL
> commands from SQL-Injection. I just wonder if it's necessary to
> use these escape functions when using PQexecParams() or
> PQsendQueryParams(); or these execParam functions don't need
> escaping literals?
Here's an excerpt from the PQexecParams() documentation:
The primary advantage of PQexecParams over PQexec is that parameter values may be separated from the command
string,thus avoiding the need for tedious and error-prone quoting and escaping.
Run some tests: create queries that do simple (but harmless) SQL
injection, submit them unescaped with PQexec() to verify that the
injection works, then escape them and submit them with PQexec() to
verify that escaping prevents the injection, then submit them
unescaped with PQexecParams() and observe what happens, then escape
them and submit them with PQexecParams() and observe what happens.
--
Michael Fuhr
http://www.fuhr.org/~mfuhr/