Re: SQL injection

On Mon, Oct 31, 2005 at 10:12:45AM -0800 I heard the voice of
Ben, and lo! it spake thus:
> Maybe I'm not very creative, but it sure seems to me that if you
> escape your strings, make sure your numbers are numbers, and your
> booleans are actually booleans, then you're protected....

Once nice touch is that booleans and numbers will be accepted by Pg if
they're escaped and quoted like strings.  So, in PHP, I always run
EVERYTHING through a wrapper db_quote() function that returns
something like ("'" . pg_escape_string(foo) . "'") (or its equivalent
in MySQL, etc) and just call it fixed.  Of course, I do type checks
for user feedback and such as well, but in case something slips
through, it's all escaped.


--
Matthew Fuller     (MF4839)   |  fullermd@over-yonder.net
Systems/Network Administrator |  http://www.over-yonder.net/~fullermd/
           On the Internet, nobody can hear you scream.