On Mon, Mar 23, 2009 at 3:07 AM, Scott Marlowe <scott.marl...@gmail.com> wrote:
> Are you saying pg_quer_params is MORE effective than pg_escape_string > at deflecting SQL injection attacks? pg_query_params() will protect non-strings. For instance, read a number in from user input and do something of the form " and foo=$my_number". Even if you escape the string, an attacker doesn't need a ' to close a string, so he can manage injection. If it's " and foo=$1" using pg_query_params(), however, that's not possible. -- - David T. Wilson david.t.wil...@gmail.com -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general