Re: stripping HTML, SQL injections ...

On Nov 14, 2007 4:51 PM, A.M. <agentm@themactionfaction.com> wrote:
>
>
> On Nov 14, 2007, at 4:23 PM, Scott Marlowe wrote:
>
> > On Nov 14, 2007 2:40 PM, madhtr <madhtr@schif.org> wrote:
> >> Quick question, are there any native functions in PostGreSQL 8.1.4
> >> that will
> >> strip HTML tags, escape chars, etc?
> >
> > I can't think of a lot of native functions, but it's sure easy enough
> > to roll your own with things like the regex functionality built in.
>
> Please don't do that- there are corner cases where a naive regex can
> fail, leaving the programmer thinking he is covered when he is not.
> The variety of web languages include filtering modules
> (HTML::Scrubber)- in the case of Perl or PHP, it can even be run
> server-side.

And given that pl/PHP can run that inside the database, there's a
reason you can't do it there?

> Furthermore, one shouldn't use an API which allows for SQL injections.

Oh heck, I hadn't even noticed he was asking about escaping things.  I
guess it really matters what he means by escaping them.  If he's
talking url encoding decoding, that's something you could do safely in
the db (again, with something like pl/PHP or pl/perl) but SQL escaping
should be done before the db ever sees the data.