Re: text column constraint, newbie question
| От | Stephen Cook |
|---|---|
| Тема | Re: text column constraint, newbie question |
| Дата | |
| Msg-id | 49C7334B.2010400@gmail.com обсуждение исходный текст |
| Ответ на | Re: text column constraint, newbie question (RebeccaJ <rebeccaj@gmail.com>) |
| Ответы |
Re: text column constraint, newbie question
|
| Список | pgsql-general |
You should use pg_query_params() rather than build a SQL statement in your code, to prevent SQL injection attacks. Also, if you are going to read this data back out and show it on a web page you probably should make sure there is no rogue HTML or JavaScript or anything in there with htmlentities() or somesuch. RebeccaJ wrote: >>> Are there characters, maybe non-printing characters, or perhaps >>> even whole phrases, that could cause problems in my database or >>> application if I were to allow users to enter them into that column? >>> If so, does anyone happen to have a regular expression handy that you >>> think is a good choice for text columns' CHECK constraint? Or maybe a >>> link to a discussion of this topic? >> Nope, there's nothing you can put into a text to break pgsql. >> However, if you are using regular old queries, you'd be advised to use >> pg_escape_string() function in php to prevent SQL injection attacks. > > Thanks! I'll check out pg_escape_string() in php, and I see that > PostgreSQL also has something called PQescapeStringConn... I wonder if > I should use both... > > Also, I should have asked: what about char and varchar fields? Can > those also handle any characters, as long as I consider SQL injection > attacks? >
В списке pgsql-general по дате отправления: