Re: More PHP DB abstraction layer stuff

Nigel J. Andrews wrote:
> Has anyone seen/used this:
>
> http://www.zend.com/codex.php?CID=324
>
> It looks fairly inoccuous. It also claims to not load an entire dataset into
> memory, i.e. uses cursors but I don't see where they're used, unless its
> inherent in the PHP Pg interface.
>
> One thing that always gets me is why people think quoting the ' in a string is
> a security feature when they don't allow for someone giving \' in the
> string. On the other hand I'm never sure how to protect against such 'odd
> number of escapes' attacks. Anyone got any clues? Does PQescape do it?

If it's any help, and approach that I feel is safe is to use the PHP
functions rawurlencode() on all data as soon as it hits the page, then
use that encoded data everywhere in the PHP code (including for storage
in the database), and use rawurldecode() if/when it needs to be spat out
to a browser.

The only real disadvantage is that column widths for data storage need
to be wider, but for databases without huge resource requirements it's
not real noticeable, and the data is pretty safe in encoded form.

:-)

Regards and best wishes,

Justin Clift

> --
> Nigel Andrews
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/users-lounge/docs/faq.html


--
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi