Skip site navigation (1)
Skip section navigation (2)
Peripheral Links
Header And Logo
|
Site Navigation
Re: Use of pg_escape_string()
- From: Raymond O'Donnell <rod(at)iol(dot)ie>
- To: Sylvain Racine <syracine(at)sympatico(dot)ca>
- Cc: pgsql-php(at)postgresql(dot)org
- Subject: Re: Use of pg_escape_string()
- Date: Sun, 22 Nov 2009 19:44:48 +0000
- Message-id: <4B0994B0.9040406@iol.ie> <text/plain>
On 22/11/2009 19:22, Sylvain Racine wrote:
> Hello,
>
> I use to hear about to escape every variables who come from user in PHP.
> Most programmers around me use MySQL with mysql_escape_string(). Because
> I program with PostgreSQL, I take advantage to use pg_escape_string().
> Everything goes well, up I entered data with apostrophe(').
> pg_escape_string() escapes my apostrophe with another apostrophe ('').
> My data are well store in database. No error... except that appears a
> double apostrophe. This is not what I want.
>
> Maybe something is wrong in my program. Here is a sample of what I use
> to store data in table "personnes" which have two columns: firstname,
> lastname. I remove database connection and construction of objects
> Minute and Personnes.
Where is the INSERTed data coming from? - Is it coming from data
submitted by GET or POST? - if so, is magic_quotes_gpc turned on? If it
is, this could explain what you're seeing.
BTW, it's much better to use parametrised queries - look up
pg_query_params in the PHP docs. This looks after all quoting for you
automatically, and prevents SQL injection attacks.
Ray.
--
Raymond O'Donnell :: Galway :: Ireland
rod(at)iol(dot)ie
- Follow-Ups:
- Re: Use of pg_escape_string()
- From: Eric Chamberlain
- Re: Use of pg_escape_string()
- References:
- Use of pg_escape_string()
- From: Sylvain Racine
- Use of pg_escape_string()
- Prev by Date: Use of pg_escape_string()
- Next by Date: Re: Use of pg_escape_string()
- Previous by thread: Use of pg_escape_string()
- Next by thread: Re: Use of pg_escape_string()
- Indexes: